.htaccess warning

[eluser]Unknown[/eluser]
Hey guys,
I've just found huge security bug in my server config.

In /var/www/mysite I have folder named (lets say) "zzz" and folder named "zzzcache". "zzz" is a parent of "zzz/images" "zzz/css" "zzz/js" etc. - it should be public. "zzzcache" is for cache (user by my own CI cache library) where I keep things like user data - it should be private.
So, .htaccess configuration (based on this from CI user guide) was:

Code:

RewriteEngine on
RewriteCond $1 !^(index\.php|zzz)
RewriteRule ^(.*)$ /index.php/$1 [L]

Looks good, right?
Well.. it is wrong. There is a web access to zzzcache :/

Correct .htaccess file looks like this:

Code:

RewriteEngine on
RewriteCond $1 !^(index\.php|zzz/)
RewriteRule ^(.*)$ /index.php/$1 [L]

It wasn't obvious for me and it became huge security bug. Maybe there should be an update on user_guide? From:

Code:

RewriteEngine on
RewriteCond $1 !^(index\.php|images|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

To:

Code:

RewriteEngine on
RewriteCond $1 !^(index\.php|images/|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

Or even:

Code:

RewriteEngine on
RewriteCond $1 !^(index\.php/|images/|robots\.txt/)
RewriteRule ^(.*)$ /index.php/$1 [L]

ps.
I know it was stupid thing to have o+r on cache files.. but, I still think that default .htaccess from user_guide is confusing.