You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Hajo Locke <ha...@gmx.de> on 2013/04/05 11:44:57 UTC

[users@httpd] filesmatch suspends AccessFileName?

Hello,

interesting thing here. Ist this a bug or expected?
Apache is 2.2.23

Costumer uses .htaccess which uses some SetEnvIfNoCase Directives to filter 
bad bots.
the allow,deny directive is placed within a filesmatch directive.
example:

SetEnvIfNoCase user-agent "hallohallo" bad_bot=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</FilesMatch>


The regex in filesmatch Directive is quite useless but this leads to the 
problem that .htaccess file can called by http in browser and shows all of 
its contents.

http://example.com/.htaccess

Seems to me quite simple for a user to disclose his .htaccess contents by 
simple filesmatch directive which suddenly ignores AccessFileName directive.
Is this a bug or expected?

Thanks,
Hajo 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] filesmatch suspends AccessFileName?

Posted by Paul Norton <pn...@gmail.com>.

On 5 April 2013 10:44, Hajo Locke <ha...@gmx.de> wrote:

> Hello,
>
> interesting thing here. Ist this a bug or expected?
> Apache is 2.2.23
>
> Costumer uses .htaccess which uses some SetEnvIfNoCase Directives to
> filter bad bots.
> the allow,deny directive is placed within a filesmatch directive.
> example:
>
> SetEnvIfNoCase user-agent "hallohallo" bad_bot=1
>
> <FilesMatch "(.*)">
> Order Allow,Deny
> Allow from all
> Deny from env=bad_bot
> </FilesMatch>
>
>
> The regex in filesmatch Directive is quite useless but this leads to the
> problem that .htaccess file can called by http in browser and shows all of
> its contents.
>
> http://example.com/.htaccess
>
> Seems to me quite simple for a user to disclose his .htaccess contents by
> simple filesmatch directive which suddenly ignores AccessFileName directive.
> Is this a bug or expected?
>
> Thanks,
> Hajo
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.org<us...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Hello Hajo
Try this at the top level
<Directory /further/up/tree>
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
</Directory>
or
<Files .htaccess>
 order allow,deny
 deny from all
</Files>

What you've written makes logical sense and I would be allowed access to
.htaccess
All the best Paul




-- 
* "I know one thing: That I know nothing"* - Socrates
*"We're all explorers here"* - T S Eliot

Re: [users@httpd] filesmatch suspends AccessFileName?

Posted by Igor Cicimov <ic...@gmail.com>.

>
> The regex in filesmatch Directive is quite useless but this leads to the
> problem that .htaccess file can called by http in browser and shows all of
> its contents.
>
> http://example.com/.htaccess
>
> Seems to me quite simple for a user to disclose his .htaccess contents by
> simple filesmatch directive which suddenly ignores AccessFileName directive.
> Is this a bug or expected?
>

I have the following in the httpd.conf:

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

Don't you have something similar?