Apache 1.3b5: AllowOverride being too lax?

Apache 1.3b5: AllowOverride being too lax?

Post by Mike Brudene » Sat, 14 Mar 1998 04:00:00

Greetings -

Before I send in a bug report, can anyone confirm that the following
really IS a problem/bug in Apache 1.3b5 please?

(I know the following sounds a little contrived, but its part of a slow
testing process I'm going through trying to reproduce our current Web
server's environment using Apache.)

The aim is to have a directory which is only accessible if and only if it
contains an .htaccess file explicitly allowing access to IP addresses.

1.  Create a directory within your document root, say /htdocs/sample/.
    Put in there an .htaccess files containing:

        <FilesMatch "*">
            Allow from all

2.  Set your Apache access.conf file to NOT allow .htaccess files to override
    any of the AllowOverride options (just for testing at this stage):

        <Directory />
            Deny from all
            AllowOverride None

Now request the /htdocs/sample/ directory by asking for the /sample/ URL
(or however you have your server configured).

The request is denied: the .htaccess file is correctly being prevented
from overriding the server's default of "Deny from all".

Now change the access.conf entry to AllowOverride something irrelevant to
allow/deny access control.  According to the documentation the allow/deny
directives are only permitted in .htaccess files if AllowOverride contains
"Limit".  So we should be able to enable overrides for, say, "Indexes"
without changing the behaviour for allow/deny behaviour...

        <Directory />
            Deny from all
            AllowOverride Indexes

Now re-request the URL.
This time, however, the request succeeds and the information served up to you.
I'm pretty sure this is a WRONG.

Am I missing something fundamental here or should I be sending in a bug report?

With thanks,

Mike Brudenell
The Computing Service, University of York, Heslington, York, YO1 5DD, UK
Tel: +44-1904-433811  FAX: +44-1904-433740  http://www.york.ac.uk/~pmb1/

* Unsolicited commercial e-mail is NOT welcome at this e-mail address. *


1. Apache API and AllowOverride

I'm writing an Apache module that does hit counting, and want to
allow users to turn it on for the pages of their choice in
.htaccess files. At the moment we have AllowOverrides set to None.

As far as I can tell, I'll have to associate my per-directory
stuff with one of the AllowOverrides directives defined by the
server (AuthConfig, FileInfo, etc) and enable it.

What I'd like to do is define my own AllowOverrides directive,
without modifying the server code. Is there a way to do this
that I'm missing? If not, is there any intent to add the
capability to the API? I know it'd be a little on the tricky
side, but it'd be cool!


2. MkLiunx and Micropolis 4345 SS Hard Drive -> doesn't boot ...

3. Apache 1.3.2 Limiting AllowOverrides to Particular Options

4. Getting cursor XY position?

5. Apache - AllowOverride/Indexes/IndexOptions ?

6. Weird problem with virtual terminals

7. apache allowoverride problem

8. Odd behavior of "cd" w.r.t. CDPATH on Sol 2.3

9. Apache - 'AllowOverride None' doesn't work!!!

10. AllowOverride on Apache 1.3B6

11. Apache 1.3b5 + SOCKS5 + Configure problem

12. Apache 1.3b5 hangs after a week

13. Append footer to all web pages with Apache 1.3b5?