>Number: 3209 >Category: mod_access >Synopsis: Selectively enabling open access to default files fails >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Oct 14 09:40:00 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.3 >Environment: Solaris 2.4 gcc 2.7.2 mod_perl 1.15 >Description: Under Apache 1.2.4 I was using the following in some .htaccess files <Files "?*"> AuthType Basic AuthName "Some Domain" AuthDBUserFile "/path/to/dbfile" ... </Files> <Files "index.html"> allow from all </Files>
The idea being that index.html should be viewable without restrictions but that everything else should require a password. This worked fine under 1.2.4 (even when index.html is a directory :)) but not under 1.3.1 or 1.3.3. Under 1.3.x a password is always requested with this setup. If I remove the <Files "?*"> around the restrictions then explicit requests for index.html work fine (no password) but requests to the directory do not. >How-To-Repeat: Set up the above scenario (unfortunately I am inside a firewall and cannot put an example anywhere visible). >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
