On 5 April 2013 10:44, Hajo Locke <hajo.lo...@gmx.de> wrote: > Hello, > > interesting thing here. Ist this a bug or expected? > Apache is 2.2.23 > > Costumer uses .htaccess which uses some SetEnvIfNoCase Directives to > filter bad bots. > the allow,deny directive is placed within a filesmatch directive. > example: > > SetEnvIfNoCase user-agent "hallohallo" bad_bot=1 > > <FilesMatch "(.*)"> > Order Allow,Deny > Allow from all > Deny from env=bad_bot > </FilesMatch> > > > The regex in filesmatch Directive is quite useless but this leads to the > problem that .htaccess file can called by http in browser and shows all of > its contents. > > http://example.com/.htaccess > > Seems to me quite simple for a user to disclose his .htaccess contents by > simple filesmatch directive which suddenly ignores AccessFileName directive. > Is this a bug or expected? > > Thanks, > Hajo > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > users-unsubscribe@httpd.**apache.org<users-unsubscr...@httpd.apache.org> > For additional commands, e-mail: users-h...@httpd.apache.org > > Hello Hajo Try this at the top level <Directory /further/up/tree> <Files .htaccess> Order allow,deny Deny from all </Files> </Directory> or <Files .htaccess> order allow,deny deny from all </Files>
What you've written makes logical sense and I would be allowed access to .htaccess All the best Paul -- * "I know one thing: That I know nothing"* - Socrates *"We're all explorers here"* - T S Eliot
