DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41760>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41760 ------- Additional Comments From [EMAIL PROTECTED] 2007-03-06 07:10 ------- OK, you want response I guess, so I will give one. .htaccess is and has been advocated in many places as the way to institute security. The reason it is claimed as a myth is precisely because it is so widely practiced. Also it makes much more sense to associate security with the directory that is being secured than it is to burry it in a config file that only the sysadmin is able to get at and forget about. Ie, not only is it widely practiced, it is a sensible practice. Except on a very high volume web sites, the overhead is minimal, and for those high volume sites, having alternatives in the .conf file is a great idea. b) I have suggested time and again, but you are not listening, that if AllowOverride None is there, the presence of a .htaccess file should disallow access, not allow it. Security defaults should NOT, by default, switch off security. Yes, .htaccess CAN be used for other things. I suspect that if you look around the world, by far the greatest use of .htaccess is to limit access to directories-- to impliment security. Ignoring that may be convenient to you, but I still place it in the "That's not a bug, that's a feature" category. c) In the .conf file, AllowOverride None is called "conservative" and no mention is made that this disables .htaccess completely. This is just wrong. Apache, as with all computer programs, is used by people who have other jobs to do and do not memorize the manual. They trust what is written in the sample .conf files. d) apache has changed from Apache1 to apache2 with massive changes to the .conf files structures, changes which continue. Furthermore for most Linux distributions the advice is "reinstall, do not upgrade". That means that on each reinstall .conf files must be recreated. And a simple diff between the old and new is impossible because so many changes have been made. It is simply impossible for anyone without a massive excess of time on their hands to go through each and every one of the options once again to see what it does, to see if it destroys previously built security. One assumes that the defaults Apache puts in will not disable security, especially from a group who claims to value security. And to add insult to injury, Apache claims that this destruction of a security barrier is "conservative" practice. e) The claim "You are the first to complain about this" is the resort of incompetent and shady businesses around the world. I suspect that there are still a number of bugs in apache which have been there since day 1. To dismiss a bug report on that basis is simply idiotic. Read my resoning and argue with that. Do not claim "tradition" to defend a bad security practice. In my opinion, this IS a bug, and for you to defend it on the basis that it has always been there so its OK simply makes you look bad. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
