You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Marc <ma...@trash-mail.com> on 2008/01/14 16:45:53 UTC
[users@httpd] Apache ACL
Hello people,
following issue:
Here is the directory layout
|-- dir1
| |-- dir2
| | `-- dir3
In dir1 is a .htaccess:
<FilesMatch "\.php$">
Order Deny,Allow
Deny from all
</FilesMatch>
Directory dir3 contains an .htacess with "Options +Indexes" and .gif-files only.
If I remove the .htaccess in dir1 the directory listing is displayed.
If I keep it, the .htaccess in dir3 seems to be ignored as Error 403 (Forbidden)
is returned.
If I write "<FilesMatch "\.gif$">" instead of php in the .htaccess in dir1 it
all works, and the gif files in dir3 are not displayed (as it should be, an
empty directory listing is returned). So what is it with the PHP files? It seems
to behave like I am unable to access any subdirectory of a directory containing
a .php file with the FilesMatch directive above. Why??
Thanks for any input you might have on this.
Regards,
Marc
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Apache ACL
Posted by Christian Folini <ch...@post.ch>.
On Tue, Jan 15, 2008 at 03:44:11PM +0100, Boyle Owen wrote:
> That's a matter of opinion - I guess you are expecting it only to block
> the PHP file if it exists. But that would mean that apache would have to
> stat the file (ie, expensive file operation) even though it knows that
> it is going to deny access anyway. That seems pretty pointless in the
> general case so it just sends the 403 straight away, before it wastes
> time looking up the file.
I think it is also security relevant. If you would send a 403 on
an existing file and 404 on a non-existing one, an attacker could
use this behaviour to scan a site.
regs,
Christian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Re: Apache ACL
Posted by Boyle Owen <Ow...@swx.com>.
> -----Original Message-----
> From: news [mailto:news@ger.gmane.org] On Behalf Of Marc
> Sent: Tuesday, January 15, 2008 1:22 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Re: Apache ACL
>
> Boyle Owen <Owen.Boyle <at> swx.com> writes:
>
> >
> > The problem you describe has no obvious solution, so there must be
> > additional config directives interfering with your setup. See notes
> > below:
> >
>
> [error] [client 88.xx.xx.xx.xx] client denied by server configuration:
> /path/to/dir3/index.php
>
> However, there is no index.php in that directory.
> Alone it
> being mentioned in
> the DirectoryIndex
Aha! that's the "additional config directives interfering with your
setup"... You didn't mention you had a DirectoryIndex directive
somewhere...
What's happening is:
- Apache gets request for dir3
- DirectoryIndex tells it to look for index.php
- FileMatch block matches index.php and so triggers a 403
> seems to be enough for the access to be
> denied :-\ Strange
> behavior.
That's a matter of opinion - I guess you are expecting it only to block
the PHP file if it exists. But that would mean that apache would have to
stat the file (ie, expensive file operation) even though it knows that
it is going to deny access anyway. That seems pretty pointless in the
general case so it just sends the 403 straight away, before it wastes
time looking up the file.
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
>
> regards,
> Marc
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache ACL
Posted by Marc <ma...@trash-mail.com>.
Boyle Owen <Owen.Boyle <at> swx.com> writes:
>
> The problem you describe has no obvious solution, so there must be
> additional config directives interfering with your setup. See notes
> below:
>
> > -----Original Message-----
> > From: news [mailto:news <at> ger.gmane.org] On Behalf Of Marc
> > Sent: Monday, January 14, 2008 4:46 PM
> > To: users <at> httpd.apache.org
> > Subject: [users <at> httpd] Apache ACL
> >
> > Hello people,
> >
> > following issue:
> >
> > Here is the directory layout
> > |-- dir1
> > | |-- dir2
> > | | `-- dir3
> >
> > In dir1 is a .htaccess:
> >
> > <FilesMatch "\.php$">
> > Order Deny,Allow
> > Deny from all
> > </FilesMatch>
> >
> > Directory dir3 contains an .htacess with "Options +Indexes"
> > and .gif-files only.
> >
> > If I remove the .htaccess in dir1 the directory listing is displayed.
>
> In which dir - dir3?
Yes.
>
> >
> > If I keep it, the .htaccess in dir3 seems to be ignored as
> > Error 403 (Forbidden)
> > is returned.
>
> From what URL?
Well, from http://server_name_of_virtual_host/dir1/dir2/dir3/
> What is in the error log for this request?
I guess now I see the problem:
[error] [client 88.xx.xx.xx.xx] client denied by server configuration:
/path/to/dir3/index.php
However, there is no index.php in that directory. Alone it being mentioned in
the DirectoryIndex seems to be enough for the access to be denied :-\ Strange
behavior.
regards,
Marc
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Apache ACL
Posted by Boyle Owen <Ow...@swx.com>.
The problem you describe has no obvious solution, so there must be
additional config directives interfering with your setup. See notes
below:
> -----Original Message-----
> From: news [mailto:news@ger.gmane.org] On Behalf Of Marc
> Sent: Monday, January 14, 2008 4:46 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Apache ACL
>
> Hello people,
>
> following issue:
>
> Here is the directory layout
> |-- dir1
> | |-- dir2
> | | `-- dir3
>
> In dir1 is a .htaccess:
>
> <FilesMatch "\.php$">
> Order Deny,Allow
> Deny from all
> </FilesMatch>
>
> Directory dir3 contains an .htacess with "Options +Indexes"
> and .gif-files only.
>
> If I remove the .htaccess in dir1 the directory listing is displayed.
In which dir - dir3?
>
> If I keep it, the .htaccess in dir3 seems to be ignored as
> Error 403 (Forbidden)
> is returned.
>From what URL?
What is in the error log for this request?
What else is in the .htaccess file in dir3?
Any .htaccess in dir2?
>
> If I write "<FilesMatch "\.gif$">" instead of php in the
> .htaccess in dir1 it
> all works, and the gif files in dir3 are not displayed (as it
> should be, an
> empty directory listing is returned).
What are you actually trying to achieve? Full access to GIFs with
directory-indexing in dir3, but 403 from all PHPs wherever?
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
> So what is it with the
> PHP files? It seems
> to behave like I am unable to access any subdirectory of a
> directory containing
> a .php file with the FilesMatch directive above. Why??
>
> Thanks for any input you might have on this.
>
> Regards,
> Marc
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org