Serious bug with .htaccess allow/deny processing.

Karl

Active Member
#1
Hi,

We've come across a serious bug with the processing of access restrictions (allow/deny) and .htaccess. Here's the situation:

/
.htaccess has a Rewrite to push all .php requests through a centralised router for legacy reasons.
RewriteCond %{REQUEST_URI} ^(.*)\.php$
RewriteRule (.*) router.php [QSA]

/directory
.htaccess contains:
order deny,allow
deny from all

/directory has some PHP files in it:
index.htm
old.php
old2.php

If you try and access /directory you get a 403 forbidden, same if you try and access index.htm. If you try and access old.php directly, it gets passed to the centralised router defined in /.htaccess and executed by the router. It completely ignores the access restrictions in /directory/.htaccess - this is a serious bug.

I have tested this same scenario in Apache and it correctly gives a 403 for anything inside /directory

Litespeed Enterprise 5.0.5

Thanks,

Karl
 
Last edited:

NiteWave

Administrator
#2
I tried to reproduce the issue on a 5.0.5 server.

initially I can reproduce the issue 100%
after careful investigation, enable rewrite log etc, my test hadn't enable AllowOverride for "Limit", this results
deny from all
is completely ignored.

the official document:
http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny

your scenario may vary. please check above setting and see if you can still reproduce the issue.
I'll try to reproduce the issue on my test server then.
 

mistwang

LiteSpeed Staff
#3
If you try and access /directory you get a 403 forbidden, same if you try and access index.htm. If you try and access old.php directly, it gets passed to the centralised router defined in /.htaccess and executed by the router. It completely ignores the access restrictions in /directory/.htaccess - this is a serious bug.
Quick fix is to add "RewriteEngine off" in /directory/.htaccess .
Sometimes, it is hard to follow exact apache behavior in all scenarios.
 

Karl

Active Member
#4
Quick fix is to add "RewriteEngine off" in /directory/.htaccess .
Sometimes, it is hard to follow exact apache behavior in all scenarios.
Appreciate that, but we're talking about access control here. The access control should take priority over anything else:

1) People expect it to be

2) If the access control denies you, there's no point doing any more processing

AllowOverride All is set (it's using Apache config file), also everything apart from None is ticked in the Litespeed server config.
 

NiteWave

Administrator
#5
ok. I did test again based on above reply.

the test URL is "127.0.1.1/directory/old.php"

with
RewriteEngine On
or
RewriteEngine Off,

#curl -I 127.0.1.1/directory/old.php
HTTP/1.1 403 Forbidden

comment out "RewriteEngine On/Off" in .htaccess, then
#curl -I 127.0.1.1/directory/old.php
HTTP/1.1 200 OK

can you confirm this behavior on your server ?
 
Top