>Number: 4244 >Category: general >Synopsis: "Files" and "FilesMatch" regexp does not recognize bang as >negation operator >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Apr 14 12:40:01 PDT 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.3 >Environment: OpenBSD2.4 - all general patches >Description: A stement in .htaccess like the following should deny all non-.html files from being served: <Files ~ "!\.html$" > deny from all </Files>
Reality: the ! is not recognized as a negative match operator. All possible syntax/combinations of ! have been tried: !"\.html$" "!(\.html)$" etc. This is important so that .htaccess and .htpasswd files can be denied - even for users that have successfully authenticated following .htaccess rules. .htaccess parsing is before "Files", so the "Files" part has to be in the .htaccess part by itself: deny all .ht* files, then selectively allow all non-.ht* files. >How-To-Repeat: >Fix: Introduce a first-match exits rule for a sequence of <Files> </Files> blocks, rather than the "last match sticks" rule. This is in addition to the missing negation operator really. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
