Should deny access to backup ~ files by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apache2 Web Server |
Invalid
|
Medium
|
|||
apache2 (Ubuntu) |
Invalid
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: apache2-common
There should really be default global directive that denies access to backup ~ files, something like this:
<Files *~>
Deny from All
</Files>
Otherwise, backup files are such a common way that DB passwords, etc., are unintentionally exposed.
It would also be great if access was denied by default to other special files associated with certain modules. For example, I'm currently working with mod_python, for which something like this is needed:
<FilesMatch "\.(pyc|pyo)$">
Deny from All
</FilesMatch>
Perhaps this could be included in a "mod_python.conf" file?
I was unsure whether I should mark this as a security vulnerability, but I figure better safe than sorry. ;)
Cheers,
Jason
Changed in apache2: | |
importance: | Undecided → Wishlist |
Changed in apache2: | |
status: | New → Triaged |
Changed in apache2: | |
status: | Unknown → Invalid |
Changed in apache2: | |
importance: | Unknown → Medium |
I've reported this bug to Apache: issues. apache. org/bugzilla/ show_bug. cgi?id= 44173
http://