https://issues.apache.org/bugzilla/show_bug.cgi?id=50371
Summary: missing? documentation on protecting .ht* files
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
AssignedTo: [email protected]
ReportedBy: [email protected]
Hi.
No sure whether I've overseen something, but IMHO the Documentation should
include (mainly for "end-users", which easily forget this) the hint that the
".htaccess" file (and similar files) SHOULD be protected against being read by
(normally) anyone.
IMHO according info should go to (at least):
http://httpd.apache.org/docs/2.2/howto/htaccess.html
and
http://httpd.apache.org/docs/2.2/misc/security_tips.html (in a OWN section or
at least not in "Watching your logs")
and perhaps also to:
http://httpd.apache.org/docs/2.2/mod/core.html#accessfilename
I found only one place where this is listed ATM:
http://httpd.apache.org/docs/2.2/misc/security_tips.html#watchyourlogs
There the following is used:
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
AFAIU how configuration is merged this alone might be insecure, namely if
anywhere "before" "Statisfy" is set to "Any".
Consider a dir /foo/ where this is done, and a subdir /foo/bar where the
.htpasswd file lays.
Now if a user gets authenticated, he should be able to read the
.htaccess/passwd (which is probably not wanted).
So may Suggest to always use:
<FilesMatch "^\.ht">
Satisfy All
Order allow,deny
Deny from all
</Files>
(As far as I read, FilesMatch is prefered over the ~ form)
or
<Files ".ht*">
Satisfy All
Order allow,deny
Deny from all
</Files>
which should be the same (AFAIU) and even works if PCRE is not available.
HTH,
Chris
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
