You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Kai Schlichting <ka...@pac-rim.net> on 1999/04/14 21:31:50 UTC
general/4244: "Files" and "FilesMatch" regexp does not recognize bang as negation operator
>Number: 4244
>Category: general
>Synopsis: "Files" and "FilesMatch" regexp does not recognize bang as negation operator
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Wed Apr 14 12:40:01 PDT 1999
>Last-Modified:
>Originator: kai@pac-rim.net
>Organization:
apache
>Release: 1.3.3
>Environment:
OpenBSD2.4 - all general patches
>Description:
A stement in .htaccess like the following should deny all non-.html files
from being served:
<Files ~ "!\.html$" >
deny from all
</Files>
Reality: the ! is not recognized as a negative match operator. All possible
syntax/combinations of ! have been tried:
!"\.html$"
"!(\.html)$" etc.
This is important so that .htaccess and .htpasswd files can be denied -
even for users that have successfully authenticated following .htaccess
rules. .htaccess parsing is before "Files", so the "Files" part has
to be in the .htaccess part by itself: deny all .ht* files, then selectively
allow all non-.ht* files.
>How-To-Repeat:
>Fix:
Introduce a first-match exits rule for a sequence of <Files> </Files> blocks,
rather than the "last match sticks" rule. This is in addition to the
missing negation operator really.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]