You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Rob Cash <rc...@nortel.ca> on 1997/04/17 00:20:02 UTC

mod_access/407: .htaccess is not always honored

>Number:         407
>Category:       mod_access
>Synopsis:       .htaccess is not always honored
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Apr 16 15:20:01 1997
>Originator:     rcash@nortel.ca
>Organization:
apache
>Release:        1.2b8
>Environment:
OS: Solaris 2.5.1 Kernel patch Generic_103640-03
Compiler: SPARCworks 3.0.1
>Description:
When I try to access an HTML document (either through a link or by typing
in the URL myself) that is located in a 'private' directory (protected by
a .htaccess file), I am asked for a password (as is expected).  I click
cancel and am denied access.  However if I access some CGI script in that
directory through a form, I am allowed access.
>How-To-Repeat:
I'm behind a firewall so I'll have to give you the files.
The first file, test.html, provides you with a form and a link.  Clicking
either will take you into the private directory.  If you got there through
the link you will be asked for a password if you got there through the form
you will not be asked for a password.

test.html:
<html>
<body>
<form action=private/test.cgi method=post>
<input type=submit>
</form>
<p>
 
Click <a href="private/index.html">here</a>
</body>
</html>


Here's private/test.cgi:
#!/usr/bin/perl
 
print "Content-type: text/html\n\n";
 
print "<html>\n";
print "<body>\n";
print "<h1>Hi</h1>\n";
print "</body>\n";
print "</html>\n";


Here's private/index.html:
<html>
<body>
<h1>Hello from index.html</h1>
</body>
</html>


Here's the .htaccess file:
AuthType Basic
AuthName SLAP Utility Private Area
AuthUserFile .htpasswd
<Limit GET PUT>
require valid-user
</Limit>


Here's the .htpasswd file:
guest:Bmb8VdQw2/P.E
>Fix:
Sorry, but I don't
>Audit-Trail:
>Unformatted:

Re: mod_access/407: .htaccess is not always honored

Posted by Marc Slemko <ma...@znep.com>.

On Wed, 16 Apr 1997, Rob Cash wrote:

[...]
> >Description:
> When I try to access an HTML document (either through a link or by typing
> in the URL myself) that is located in a 'private' directory (protected by
> a .htaccess file), I am asked for a password (as is expected).  I click
> cancel and am denied access.  However if I access some CGI script in that
> directory through a form, I am allowed access.
[...]

> <form action=private/test.cgi method=post>
[...]
> Here's the .htaccess file:
> AuthType Basic
> AuthName SLAP Utility Private Area
> AuthUserFile .htpasswd
> <Limit GET PUT>
> require valid-user
> </Limit>

You are telling it to limit GET and PUT.  Then you are doing a POST.  If
you want to limit POST, you need to tell it to.

You should also be able to just leave the <Limit> and </Limit> bit out and
have it apply to all methods.