#2639 some .htaccess files have incorrect apache directives

Options (155)

not version specific

.htaccess files in /doc and /contrib have incorrect apache permission directives

The .htaccess files in /doc and /contrib have the following entries:
Order Deny,Allow
Deny from All
Allow from 127
Allow from 10
Allow from 192

The last entry: "Allow from 192" allows access from publicly routable network blocks. To achieve the desired effect, that line should read: "Allow from 192.168"

Additionally, I question the wisdom of including 10 and 192.168. Just because a network block is not publicly routable does not mean that it poses no threat. There are large networks that use private network address spaces with potentially hostile hosts in them. If the 10 and 192.168 entries were to be removed, then I would prefer to see the .htaccess files simply changed to "Deny from All", as the only entry left is the local loopback address space, and anyone on the local machine can directly read those directories anyway.


  • Jonathan Angliss

    I've taken care of the reference to 192 and changed to fit RFC1918. Also added in the 172.16 block as well.

    I'll discuss with the other devs, because this probably needs to be expanding upon for removal, and/or tightening general control elsewhere.

  • Jonathan Angliss

    • assigned_to: nobody --> jangliss

Log in to post a comment.