[MacPorts] #7277: Protect .ht* files case insensitively by default (apache2 port)

Wed Feb 6 08:44:35 PST 2008

#7277: Protect .ht* files case insensitively by default (apache2 port)
---------------------------------------------+------------------------------
  Reporter:  opendarwin-2006 at ryandesign.com  |       Owner:  imajes at macports.org
      Type:  defect                          |      Status:  new                
  Priority:  High                            |   Milestone:  Port Bugs          
 Component:  ports                           |     Version:                     
Resolution:                                  |    Keywords:                     
---------------------------------------------+------------------------------
Old description:

> By default the apache2 port installs an httpd.conf containing this
> section which is supposed to prevent malicious users from reading the
> contents of .htaccess or .htpasswd files:
>
> # The following lines prevent .htaccess and .htpasswd files from being
> # viewed by Web clients.
> #
> <FilesMatch "^\.ht">
>     Order allow,deny
>     Deny from all
> </FilesMatch>
>
> This is insufficient on file systems which are case insensitive, such as
> Mac OS X's default HFS+ file system. Mac OS X also has other files and
> directories inside each directory which must not be made accessible to
> web visitors. See Apple's knowledge base article:
>
> http://docs.info.apple.com/article.html?artnum=300422
>
> The updated rules provided in that knowledge base article should be
> patched into the default httpd.conf file provided through darwinports so
> that users are by default protected from this problem.
>
> Someone should also examine the apache 1 port to see if it suffers from
> the same problem, and patch it too if necessary (possibly creating a
> separate bug report if necessary).
>
> This issue is related a bit to bug #803.

New description:

 By default the apache2 port installs an httpd.conf containing this section
 which is supposed to prevent malicious users from reading the contents of
 .htaccess or .htpasswd files:

 {{{
 # The following lines prevent .htaccess and .htpasswd files from being
 # viewed by Web clients.
 #
 <FilesMatch "^\.ht">
     Order allow,deny
     Deny from all
 </FilesMatch>
 }}}

 This is insufficient on file systems which are case insensitive, such as
 Mac OS X's default HFS+ file system. Mac OS X also has other files and
 directories inside each directory which must not be made accessible to web
 visitors. See Apple's knowledge base article:

 http://docs.info.apple.com/article.html?artnum=300422

 The updated rules provided in that knowledge base article should be
 patched into the default httpd.conf file provided through darwinports so
 that users are by default protected from this problem.

 Someone should also examine the apache 1 port to see if it suffers from
 the same problem, and patch it too if necessary (possibly creating a
 separate bug report if necessary).

 This issue is related a bit to bug #803.

-- 
Ticket URL: <http://trac.macosforge.org/projects/macports/ticket/7277#comment:3>
MacPorts </projects/macports>
Ports system for Mac OS