At 14:37 02/10/2002 +0300, netcat wrote:
On Wed, 2 Oct 2002, Alan MacDonald wrote: [snip] > I use .htaccess files to control access - will this patch clobber that? if the workaround consists of disabling usage of .htaccess files then implementing it of course will make it impossible to use .htaccess files. how could it be otherwise?
Not necessarily. A workaround does not by definition mean that it is the solution to a problem - it's a 'work around'. ;)
quote 'A local user may exploit a vulnerability in Apache through specially crafted ".htaccess" files'.
The vulnerability lies in Apache. A 'fix' which means that you can no longer use .htaccess files would not be, in my mind, a great fix.
I am assuming/hoping/praying that the patch works by fixing the flaw in Apache that /allows/ specially crafted .htaccess files to cause an exploit. This would not require the use of AllowOverride None in httpd.conf. I would be happy :)
Can someone tell me whether the patch breaks the use of .htaccess files in any way?
rgds Alan MacDonald -- Webmaster - aceposition.com webmaster@xxxxxxxxxxxxxxx +353 51 855 939