Hello,
interesting thing here. Ist this a bug or expected?
Apache is 2.2.23
Costumer uses .htaccess which uses some SetEnvIfNoCase Directives to filter
bad bots.
the allow,deny directive is placed within a filesmatch directive.
example:
SetEnvIfNoCase user-agent "hallohallo" bad_bot=1
<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</FilesMatch>
The regex in filesmatch Directive is quite useless but this leads to the
problem that .htaccess file can called by http in browser and shows all of
its contents.
http://example.com/.htaccess
Seems to me quite simple for a user to disclose his .htaccess contents by
simple filesmatch directive which suddenly ignores AccessFileName directive.
Is this a bug or expected?
Thanks,
Hajo
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
