mod_auth-any/8698: htpasswd file location

[Uhlar Matus <uh...@fantomas.sk>]

>Number:         8698
>Category:       mod_auth-any
>Synopsis:       htpasswd file location
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Wed Nov 07 03:40:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     uhlar@fantomas.sk
>Release:        1.3.20
>Organization:
apache
>Environment:
any
>Description:
As the doc says, the .htpasswd file needs to be defined with full path,
otherwise it is searched in ServerRoot directory. We are using apache
for providing users webspace and do not wans to tell them either full path
nor give the access to any other directory then their DocumentRoot.
They can upload .htaccess file but they can't upload .htpasswd file anyway
>How-To-Repeat:

>Fix:
the AuthUser(DB,DBM)File defined in .htaccess should be imo searched in
the same directory as .htaccess. OF course i know security considerations,
but I think directive <Files> could be used to prevent access to that file
for users.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]