Question

I noted that the default .htaccess specifies a <Files stanza for several scripts (edit, preview, save, attach, upload, rename, installpasswd) to declare the same thing, 'require valid-user'.

While I was tweaking my ModPerl setup I needed to explicitly define what scripts were to run under ModPerl. A similer situation (where each program was to have a stanza of settings).

Long story short...

I took:

<Files "edit">
       require valid-user
</Files>

<Files "preview">
       require valid-user
</Files>

<Files "save">
       require valid-user
</Files>

<Files "attach">
       require valid-user
</Files>

<Files "upload">
       require valid-user
</Files>

<Files "rename">
       require valid-user
</Files>

<Files "installpasswd">
       require valid-user
</Files>

And made it:

<FilesMatch "^(edit|preview|save|attach|upload|rename|installpasswd)$">
        require valid-user
</FilesMatch>

My question being is any sanity/time/space really be saveed by the above?

• TWiki version: [Version: 01 Dec 2001]
• Web server: Apache/1.3.26 (Unix) mod_perl/1.27 mod_ssl/2.8.10 OpenSSL/0.9.6a
• Server OS: FreeBSD 4.6-STABLE
• Web browser: IE 6.0
• Client OS: XP/Home

-- DrewCard - 27 Jul 2002

Answer

Moved from Support since this is a Codev issue. It is somewhat more elegant to list the files like this, so we might as well do it - easier to add a script, at least.

-- RichardDonkin - 27 Jul 2002

Originally I felt it would be better to specify the indiviual programs explicitly. When I tried to specify the multiple files originally in a <file stanza like:

<files "edit" "preview" _etc_ >

[Sat Jul 27 11:04:29 2002] [alert] [client XXX.XXX.XXX.XXX] /usr/local/www/twiki/bin/.htaccess: Multiple <Files> arguments not (yet) supported.

Thus leading me to the regular expression style.

-- DrewCard - 05 Aug 2002

It seems to me that if you choose to require a valid-user, you would want to protect all of the scripts in the bin directory. Identifying them explicitly in the conf can create holes in your security if you add plugins or other scripts into that bin dir and forget to modify your config. I would suggest the following if you're using Apache 2.0 or greater:

    <FilesMatch "^(?!oops)">
        require valid-user
    </FilesMatch>

-- MichaelKeenan - 22 Nov 2003

MichaelKeenan: In some corporate environments, the ability to read from the server is determined by whether you can connect to it; you only need to authenticate to edit things (so that revision control works, for example). Forcing a login for all scripts is overkill, and causes trouble with less technical users - they tend not to listen when they're told that just reading pages can expose their login for editing use, but can make the link between logging in to make changes, and needing to log out.

-- SimonFarnsworth - 08 Sep 2005