Many Apache users use .htaccess files to control access to files. Of course, sometimes only some files are password protected:
<Files ~ “admin.*">
…
Require valid-user
</files>
Now, this wouldn’t protect a file named AdminList, or ADMINFOO, because regular expressions are not usually case-insensitive, but no problem; just name your files consistently.
On OS X, the default filesystem is case-insensitive (technically case-preserving). This means that, if there is a file named ‘adminlist.php’, and you enter the URL ADMINLIST.PHP:
1. The Files directive doesn’t match it.
2. The web server displays it without complaint, because it can open a file by that name.
If you serve pages on OS X, and use .htaccess, you have to fix this. Now.
Note that the canonical <Files ~ “^\.ht”> used to prevent access to .htpasswd does not prevent access to .HTPASSWD. Seriously, this is bad mojo. (But Apple does it right in their httpd.conf…)
Comments [archived]
From: mph
Date: 2008-08-21 13:33:31 -0500
Your stuff in angle brackets isn’t showing up.
From: Mauro
Date: 2008-09-15 14:29:41 -0500
This comment has nothing to do with Apache on OS X. When are we going to see the code for the winners of the latest IOCCC? Did you guys just give up?