Before I send in a bug report, can anyone confirm that the following
really IS a problem/bug in Apache 1.3b5 please?
(I know the following sounds a little contrived, but its part of a slow
testing process I'm going through trying to reproduce our current Web
server's environment using Apache.)
The aim is to have a directory which is only accessible if and only if it
contains an .htaccess file explicitly allowing access to IP addresses.
1. Create a directory within your document root, say /htdocs/sample/.
Put in there an .htaccess files containing:
Allow from all
2. Set your Apache access.conf file to NOT allow .htaccess files to override
any of the AllowOverride options (just for testing at this stage):
Deny from all
Now request the /htdocs/sample/ directory by asking for the /sample/ URL
(or however you have your server configured).
The request is denied: the .htaccess file is correctly being prevented
from overriding the server's default of "Deny from all".
Now change the access.conf entry to AllowOverride something irrelevant to
allow/deny access control. According to the documentation the allow/deny
directives are only permitted in .htaccess files if AllowOverride contains
"Limit". So we should be able to enable overrides for, say, "Indexes"
without changing the behaviour for allow/deny behaviour...
Deny from all
Now re-request the URL.
This time, however, the request succeeds and the information served up to you.
I'm pretty sure this is a WRONG.
Am I missing something fundamental here or should I be sending in a bug report?
The Computing Service, University of York, Heslington, York, YO1 5DD, UK
Tel: +44-1904-433811 FAX: +44-1904-433740 http://www.york.ac.uk/~pmb1/
* Unsolicited commercial e-mail is NOT welcome at this e-mail address. *