DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41760>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41760 ------- Additional Comments From [EMAIL PROTECTED] 2007-03-05 17:53 ------- OK, it is clear that this is not going to be addressed. One of the selling points of Apache is taking security seriously, but in this case tradition is clearly more important than security. It is true that I went by the comments in the .conf file re the AllowOverride and did not see the comment in the documentation that None would disable all .htaccess. Note that the "Myths" clearly states "The only people to use .htaccess should be end-users who want control without having to bug the server admin." Which means that some action on the part of the sysadmin ( changing the AllowOverride to None) either deliberately or by accident ( installing a new version of Apache) can destroy the user's security. I would call that a design bug, but apparently this is a feature, not a bug. I had a bunch of solutions for assignments on a web directlory which was not supposed to be seen by students ( and no I do not want to bury the security deep inside a config file which changes each time the system is upgraded-- security belongs with the stuff being protected, not buried somewhere else) and suddenly discovered it was available to all. ( I had my own machine as allowd in the .htaccess file, so was not surprised that I ccould see the pages.) I will continue to think that this is idiotic behaviour for anyone who takes security at all seriously, but no longer expect that anyone else will pay any attention to my ranting about it, so with this rant will quit. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
