[391] in WWW Security List Archive
Re: NCSA htaccess and htgroup
daemon@ATHENA.MIT.EDU (--Martin Maiers--)
Wed Feb 15 12:38:04 1995
From: martinm@carina.cray.com (--Martin Maiers--)
To: www-security@ns2.rutgers.edu
Date: Wed, 15 Feb 95 8:02:53 CST
In-Reply-To: <Pine.SOL.3.91.950215010142.17713F-100000@kells>; from "Luke Duncan" at Feb 15, 95 1:04 am
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Luke Duncan writes:
>
>
> I'm running NCSA httpd 1.3 and I'm running into problems with the
> .htaccess files to restrict access. I have a large group of users
> (currently about 60, but it will be growing) set up in the .htgroup file,
> but when accessing the directory, the authentication is denied. It seems
> to work with smaller groups though.
>
> Has anyone else run into a problem like this or know of what might be
> causing it?
>
Good ol' static array definitions.
In the file httpd.h <lines 253-255> the default string lengths are defined.
Change:
> /* The default string lengths */
> #define MAX_STRING_LEN 256
> #define HUGE_STRING_LEN 8192
>
> to:
>
> /* The default string lengths */
> #define HUGE_STRING_LEN 8192
> #define MAX_STRING_LEN HUGE_STRING_LEN
This will increase the maximum size of an entry in .htgroup from 256 characters
to 8192. I wish they'd have used malloc instead...
Oddly enough, this is the same change recommended by the CIAC security
advisory issued yesterday as their short-term fix for a vulnerability
in NCSA's httpd. Someone has already posted that advisory to this group.
Martin
--
Martin Maiers PHONE: 1-612-683-3040
Cray Research, Inc. FAX: 1-612-683-3099
Eagan, MN 55121 USA EMAIL: martin.maiers@cray.com
