'DO NOT REPLY [Bug 41760] .htaccess file ignored if AllowOverride'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-bugs
Subject:    DO NOT REPLY [Bug 41760] .htaccess file ignored if AllowOverride
From:       bugzilla () apache ! org
Date:       2009-09-23 1:55:16
Message-ID: 20090923015516.959B4234C1EB () brutus ! apache ! org
[Download RAW message or body]

https://issues.apache.org/bugzilla/show_bug.cgi?id=41760

--- Comment #15 from Matt McCutchen <matt@mattmccutchen.net> 2009-09-22 18:55:09 PDT ---
So I believe unruh, Mikel, and I are in agreement that the current semantic of
"AllowOverride None" is a gratuitous special case that is harmful to security. 
I'll recap the argument in case it isn't clear.

The normal effect of omitting a directive-type from AllowOverride is to forbid
the use of those directives in htaccess; if Apache finds one, it raises a 500
Internal Server Error.  This is a good thing: if for any reason a
directive-type is removed from AllowOverride in the master configuration, sites
using it stop working rather than become vulnerable.  With "AllowOverride Foo",
where Foo is a hypothetical directive-type that contains zero directives, an
htaccess file containing any directives at all would give a 500 error.  But
when we get to "AllowOverride None", the behavior suddenly changes: in effect,
all directives are silently ignored.

My web host, DreamHost, centrally manages the master Apache configuration but
uses essentially "AllowOverride All".  In this way, they leverage the careful
thought the developers put into which Apache directives are safe enough for
shared hosting to have htaccess context.  They expose a limited amount of the
remaining functionality through the customer control panel.  Comment #4 and
comment #9 seem to be claiming that htaccess is not supported for security.  I
certainly hope that's not the case; if it is, an giant warning in the manual
would be warranted, and web hosts will be deprived of a convenient way to offer
a safe subset of Apache functionality to their customers.

I understand that changing the behavior of "AllowOverride None" would break
existing configurations, which is bad.  But at least it should be deprecated in
favor of a new "AccessFileName none" syntax, which is the completely logical
way to say that no access files should be recognized.  Then I would like a new
syntax, perhaps "AllowOverride RejectAll", to process htaccess files but with
no directive-types allowed.

Shall I reopen?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic