general/4244: "Files" and "FilesMatch" regexp does not recognize bang as negation operator

[Kai Schlichting <ka...@pac-rim.net>]

>Number:         4244
>Category:       general
>Synopsis:       "Files" and "FilesMatch" regexp does not recognize bang as negation operator
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Apr 14 12:40:01 PDT 1999
>Last-Modified:
>Originator:     kai@pac-rim.net
>Organization:
apache
>Release:        1.3.3
>Environment:
OpenBSD2.4 - all general patches
>Description:
A stement in .htaccess like the following should deny all non-.html files
from being served:
<Files ~ "!\.html$" >
deny from all
</Files>

Reality: the ! is not recognized as a negative match operator. All possible
syntax/combinations of ! have been tried:
!"\.html$"
"!(\.html)$" etc.

This is important so that .htaccess and .htpasswd files can be denied -
even for users that have successfully authenticated following .htaccess
rules. .htaccess parsing is before "Files", so the "Files" part has
to be in the .htaccess part by itself: deny all .ht* files, then selectively
allow all non-.ht* files.
>How-To-Repeat:

>Fix:
Introduce a first-match exits rule for a sequence of <Files> </Files> blocks,
rather than the "last match sticks" rule. This is in addition to the
missing negation operator really.

>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]