Hi,
We've come across a serious bug with the processing of access restrictions (allow/deny) and .htaccess. Here's the situation:
/
.htaccess has a Rewrite to push all .php requests through a centralised router for legacy reasons.
RewriteCond %{REQUEST_URI} ^(.*)\.php$
RewriteRule (.*) router.php [QSA]
/directory
.htaccess contains:
order deny,allow
deny from all
/directory has some PHP files in it:
index.htm
old.php
old2.php
If you try and access /directory you get a 403 forbidden, same if you try and access index.htm. If you try and access old.php directly, it gets passed to the centralised router defined in /.htaccess and executed by the router. It completely ignores the access restrictions in /directory/.htaccess - this is a serious bug.
I have tested this same scenario in Apache and it correctly gives a 403 for anything inside /directory
Litespeed Enterprise 5.0.5
Thanks,
Karl
We've come across a serious bug with the processing of access restrictions (allow/deny) and .htaccess. Here's the situation:
/
.htaccess has a Rewrite to push all .php requests through a centralised router for legacy reasons.
RewriteCond %{REQUEST_URI} ^(.*)\.php$
RewriteRule (.*) router.php [QSA]
/directory
.htaccess contains:
order deny,allow
deny from all
/directory has some PHP files in it:
index.htm
old.php
old2.php
If you try and access /directory you get a 403 forbidden, same if you try and access index.htm. If you try and access old.php directly, it gets passed to the centralised router defined in /.htaccess and executed by the router. It completely ignores the access restrictions in /directory/.htaccess - this is a serious bug.
I have tested this same scenario in Apache and it correctly gives a 403 for anything inside /directory
Litespeed Enterprise 5.0.5
Thanks,
Karl
Last edited: