Hi,
I came across a strange/unexpected behavior of FilesMatch.
Example config to reproduce the issue:
<Directory /usr/local/apache2/htdocs/test>
Order Deny,Allow
Deny from all
<FilesMatch "bar$">
Allow from all
</FilesMatch>
</Directory>
- requesting "/test/blah" returns a forbidden error, which is OK
- requesting "/test/foo.bar" returns the file if it exists, which is OK
- requesting "/test/is/here/foo.bar" returns the file if it exists,
which is OK
- requesting "/test/not/here/foo.bar" (with the directory "not"
not existing) returns a forbidden error instead of a 404 error.
In this case Apache walks up to "/usr/local/apache2/htdocs/test" and
then uses "not" as the basename and matches the regex from FilesMatch
against this. So using 'FilesMatch "not$"' would actually match and a
404 error is returned.
FilesMatch is more about matching against actual files and not virtual
URL paths, but I find it strange that "not" instead of "foo.bar" is
used as the basename for the regex match.
In most cases it probably doesn't matter if you get a 404 or a forbidden
error, but once you start doing RewriteRule stuff the above can lead to
unexpected results.
Add the following RewriteRules to the directory section:
RewriteRule ^/test/is/here/foo.bar$ /foo.bar [L]
RewriteRule ^/test/not/here/foo.bar$ /foo.bar [L]
- requesting "/test/is/here/foo.bar" redirects and returns the file /foo.bar
- requesting "/test/not/here/foo.bar" redirects internally, but then returns
a forbidden error.
In this case Apache first matches the basename "not" *and* the basename
"foo.bar" again the FilesMatch regex which fails ...
Using 'FilesMatch "(not|bar)$"' would actually work in this case, but
is not really something I would have expected.
Tested with 2.0.63 and 2.2.11.
ciao...
--
Lars Eilebrecht
[email protected]
