You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Greg Saylor <we...@net-virtual.com> on 1998/09/04 01:35:10 UTC

mod_auth-any/2951: .htaccess in virtual host directory doesn't seem to be parsed correctly.

>Number:         2951
>Category:       mod_auth-any
>Synopsis:       .htaccess in virtual host directory doesn't seem to be parsed correctly.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Sep  3 16:40:00 PDT 1998
>Last-Modified:
>Originator:     webmaster@net-virtual.com
>Organization:
apache
>Release:        1.2.6
>Environment:
Solaris 2.6, GCC compiler sun4u sparc SUNW,Ultra-1
>Description:
I have a virtual server at /opt/htdocs/test and a URL of test.blah.com.  When I
go to http://test.blah.com I pull up the index.html document just fine and can 
also retrieve a "passwd" file in the same directory.  For example:
http://test.blah.com/passwd will list my passwd file.   This is a copy of my
htaccess file:

<Files *>
deny from all
</Files>
<Files ~ "/|(index|test)\.html">
allow from all
</Files>

My access.conf shows:

<Directory /opt/htdocs/test>
Options Indexes FollowSymLinks Includes ExecCGI MultiViews
AllowOverride All
order allow,deny
allow from all
</Directory>

If this is not a bug, I have been unable to find any documentation or
assistance in resolving this so please offer the correct method for
accomplishing this.   Specifically telling it to deny access to that file
does work, it's like it's ignoring the <Files *> directive because if I change
it to:
<Files passwd>

it does deny access to the passwd file....  

Thanks for all your help and providing such a great product.  I've had to ask 
for help one other time and the response was excellent!   If I am just not 
understanding this properly or if Apache is designed to work this way, that's
fine but please let me know how (if at all) I can accomplish this goal for
my client...
>How-To-Repeat:

>Fix:

>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]