[wp-trac] Re: [WordPress Trac] #3796: Using permalinks can prevent
access to password protected folders.
WordPress Trac
wp-trac at lists.automattic.com
Thu Feb 15 21:02:44 GMT 2007
#3796: Using permalinks can prevent access to password protected folders.
---------------------------------------------------+------------------------
Reporter: Bassetts | Owner: anonymous
Type: defect | Status: new
Priority: low | Milestone: 2.3
Component: Administration | Version: 2.1
Severity: minor | Resolution:
Keywords: htaccess password proteced permalinks |
---------------------------------------------------+------------------------
Changes (by Otto42):
* priority: high => low
* severity: major => minor
Comment:
This has to do with the way .htaccess works in this unusual situation.
Actually, those "ErrorDocument" lines don't need to point to the folder in
question. They simply need to point to any file which actually exists.
.htaccess files are additive. Whenever you request a page, the webserver
basically goes through every directory down the tree from the root
(specified by the closest match of <Directory ...> in the httpd.conf
file), and adds all the .htaccess files together. As it traverses them, it
parses each one. Later .htaccess files override previous ones, but only
for the same specified items. RewriteRules are cumulative.
So what is going on is that the authorization in the password protected
directory is forcing a 401 response ("Authorization Required") back to the
client. Normally, the client would get the 401 and ask for a password.
However, in this case, this 401 response is intercepted by the Wordpress
RewriteRules which says to rewrite everything to Wordpress. This is
because .htaccess's are cumulative and your closest matching Directory is
the root.
So, by forcing an ErrorDocument for the 401 response before the Wordpress
rules, you pre-empt them (since the file actually exists, the RewriteRules
won't take effect upon it due to the -f, or -d in the above case), causing
your 401 document to be sent instead of rewriting to Wordpress. However,
the client doesn't care about that document, it sees the 401 and asks for
a password.
The 403 line will cause it to send back a forbidden message on password
entry failure. If you leave that off, the client actually will get
redirected back to Wordpress in that case.
Other possible solutions are:
- Add a new Directory statement to httpd.conf, specifically specifying
your password protected directory, thus bypassing the wordpress rewrites
from the htaccess search path.
- Add another rewrite to the top of the wordpress rewrites that pre-empts
them for that directory only.
Forcing a 401/403 ErrorDocument seems like the best solution to me, since
it will work with any password protected subdirectories you care to add,
without having to specify them.
Or perhaps Wordpress itself can recognize the 401/403 response when it
starts and exit early to eliminate this problem, although that may cause
other problems.
But this problem has existed for a long time, it only affects a small
number of users, and it exists for other packages that use the RewriteRule
. index.php type of rewrites as well. It's a combination of circumstances,
not a critical flaw.
--
Ticket URL: <http://trac.wordpress.org/ticket/3796#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list