Closed Bug 1133690 Opened 9 years ago Closed 9 years ago

.htaccess incorrectly assumes that Apache 2.2.x can read new 2.4 directives

Categories

(Bugzilla :: Installation & Upgrading, defect)

Product:
Bugzilla
Component:
Installation & Upgrading
Version:
4.4.8
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.4

People

(Reporter: aram535, Assigned: LpSolit)

References

Details

(Keywords: regression)

Attachments

(3 files)

patch, v1 (master)
3.13 KB, patch
dkl
: review+
Details | Diff | Splinter Review
patch for 5.0, v1
3.14 KB, patch
dkl
: review+
Details | Diff | Splinter Review
patch for 4.4, v1
2.53 KB, patch
dkl
: review+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36

Steps to reproduce:

OS: CentOS 6.5 (final) - 64bit

Server version: Apache/2.2.15 (Unix)
Server built:   Jul 23 2014 14:17:29

Contains: AllowOverride Limit FileiNfo Indexes Options

# git clone --branch 4.4 https://git.mozilla.org/bugzilla/bugzilla bugzilla
# cp <working>/localconfig ./bugzilla
# cd bugzilla
# ./testserver.pl <url>



Actual results:

# ./testserver.pl http://localhost/bugs/
TEST-OK Webserver is running under group id in $webservergroup.
TEST-FAILED Fetch of images/padlock.png failed
Your web server could not fetch 
http://localhost/bugs/images/padlock.png.
Check your web server configuration and try again.

# tail ..../error_log
[Tue Feb 17 10:14:30 2015] [alert] [client x.x.x.x] /<path>/.htaccess: Require not allowed here



Expected results:


To fix this:

git diff
diff --git a/.htaccess b/.htaccess
index d5bc8b2..3b464a4 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,16 +1,6 @@
 # Don't allow people to retrieve non-cgi executable files or our private data
 <FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
-  <IfModule mod_version.c>
-    <IfVersion <= 2.2>
-     Deny from all
-    </IfVersion>
-    <IfVersion > 2.2>
-      Require all denied
-    </IfVersion>
-  </IfModule>
-  <IfModule !mod_version.c>
-    Deny from all
-  </IfModule>
+  deny from all
 </FilesMatch>
 
 Options -Indexes
You use Apache 2.2.15, so your web server is not supposed to read "Require all denied" but "Deny from all". I cannot reproduce using Apache 2.2.15 on RHEL 6.6.
Assignee: general → installation
Component: Bugzilla-General → Installation & Upgrading
Depends on: 1121477
If I'm reading this right: 

VERSION = 2.2.15 
mod_version is enabled

<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
  <IfModule mod_version.c> <!-- true -->
    <IfVersion <= 2.2> <!--  2.2.15 <= 2.2 ==> false -->
      Deny from all
    </IfVersion>
    
    <IfVersion > 2.2> <!-- 2.2.15 > 2.2 ==> true --> 
      Require all denied   <!-- invalid command --> 
    </IfVersion>
  </IfModule>
  <IfModule !mod_version.c>
    Deny from all
  </IfModule>
</FilesMatch>
I believe the break you're looking for is Apache 2.2 -> 2.4 not 2.0 -> 2.2.

<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
  <IfModule mod_version.c>
    <IfVersion <= 2.4>
      Deny from all
    </IfVersion>
    <IfVersion > 2.4>
      Require all denied
    </IfVersion>
  </IfModule>
  <IfModule !mod_version.c>
    Deny from all
  </IfModule>
</FilesMatch>
(In reply to Aram Mirzadeh from comment #2)
>     <IfVersion <= 2.2> <!--  2.2.15 <= 2.2 ==> false -->

>     <IfVersion > 2.2> <!-- 2.2.15 > 2.2 ==> true --> 

Oh yes, you are right! The Apache doc says that if the patch number is not given, it's assumed to be 0, so 2.2 translates to 2.2.0, not the 2.2 branch. Thanks for catching that!
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking5.0?
Flags: blocking4.4.9?
Keywords: regression
Summary: .htaccess: Require not allowed here → .htaccess incorrectly assumes that Apache 2.2.x can read new 2.4 directives
Target Milestone: --- → Bugzilla 4.4
(In reply to Aram Mirzadeh from comment #3)
>     <IfVersion <= 2.4>
>       Deny from all
>     </IfVersion>

This one is not correct. It should be < 2.4.


>     <IfVersion > 2.4>
>       Require all denied
>     </IfVersion>

And this one should be >= 2.4.
The rule is: never use <= (< x.y is safe, >= x.y is safe, but <= x.y is not, nor is > x.y).
Agreed, and tested with both versions it works.
Since I saw the version changed to 4.4.x 
latest released 4.4 branch is: 

<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
  deny from all
</FilesMatch>

This maybe a 5.0+ change only.
Assignee: installation → LpSolit
Status: NEW → ASSIGNED

        Attachment #8566671 -
        Flags: review?(dkl)

    
    

    
  
Comment on attachment 8566671 [details] [diff] [review]
patch, v1 (master)

Review of attachment 8566671 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl but this only applies cleanly to trunk. We will need a new patch for 5.0 and older.

        Attachment #8566671 -
        Flags: review?(dkl) → review+

        Attachment #8566671 -
        Attachment description: patch, v1 → patch, v1 (master)

    
    

    
  


  

        Attachment #8566695 -
        Flags: review?(dkl)

    
    

    
  


  

        Attachment #8566704 -
        Flags: review?(dkl)

    
    

    
  
Comment on attachment 8566695 [details] [diff] [review]
patch for 5.0, v1

Review of attachment 8566695 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

        Attachment #8566695 -
        Flags: review?(dkl) → review+

    
    

    
  
Comment on attachment 8566704 [details] [diff] [review]
patch for 4.4, v1

Review of attachment 8566704 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

        Attachment #8566704 -
        Flags: review?(dkl) → review+
Flags: approval?
Flags: approval5.0?
Flags: approval4.4?

    
  
Flags: blocking5.0?
Flags: blocking4.4.9?
Flags: approval?
Flags: approval5.0?
Flags: approval5.0+
Flags: approval4.4?
Flags: approval4.4+
Flags: approval+

    
    

    
  
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   720e7d4..638dc65  master -> master

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   9f1e365..639b50f  5.0 -> 5.0

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   0a18f0f..39a7bb9  4.4 -> 4.4
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED

    
    

    
  
This should be tested against 2.5 not 2.4.

For example httpd v2.4.6 would fall to "Require" which is a 2.5 directive.

index 2f00969..85850b7 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,10 +1,10 @@
 # Don't allow people to retrieve non-cgi executable files or our private data
 <FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
   <IfModule mod_version.c>
-    <IfVersion < 2.4>
+    <IfVersion < 2.5>
       Deny from all
     </IfVersion>
-    <IfVersion >= 2.4>
+    <IfVersion >= 2.5>
       Require all denied
     </IfVersion>
   </IfModule>
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
The Apache documentation says that this directive is understood since httpd 2.3, not 2.5.

  http://httpd.apache.org/docs/current/en/mod/mod_authz_core.html#require
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED

    
    

    
  
Oddly enough 2.4.6 seems to be ok with it in httpd.conf but not in .htaccess.

# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Jan 12 2015 13:22:31

# ./testserver.pl http://localhost/bugs
TEST-OK Webserver is running under group id in $webservergroup.
TEST-FAILED Fetch of images/padlock.png failed
Your web server could not fetch http://localhost/bugs/images/padlock.png.
Check your web server configuration and try again.

# tail error_log
[Mon Mar 02 11:06:36.891578 2015] [core:alert] [pid 32596] [client 127.0.0.1:18522] /opt/bugzilla5/.htaccess: Require not allowed here

# sed -i 's/2\.4/2\.5/' .htaccess
# ./testserver.pl http://localhost/bugs
TEST-OK Webserver is running under group id in $webservergroup.
TEST-OK Got padlock picture.
TEST-OK Webserver is executing CGIs via mod_cgi.
TEST-OK Webserver is preventing fetch of http://localhost/bugs/localconfig.
Blocks: 1138463

    
  
No longer blocks: 1138463

    
    

    
  
Okay, understood. Please assign to me, I'll provide a patch.

    
    

    
  
Hm, the new htaccess file from 4.4.9 and 5.0rc is broken.
On apache24 (2.4.12) access is denied if mod_version is loaded, to get access again to bugzilla 4.4.9 or 5.0rcx mod_version should be turned of.

    
    

    
  
(In reply to olli hauer from comment #20)
> Hm, the new htaccess file from 4.4.9 and 5.0rc is broken.
> On apache24 (2.4.12) access is denied if mod_version is loaded, to get
> access again to bugzilla 4.4.9 or 5.0rcx mod_version should be turned of.

I have Apache 2.4.7 and mod_version enabled, and things are working fine. Are you sure you don't have an old .htaccess file? Bugzilla doesn't fix existing .htaccess files. You have to manually delete old ones and let checksetup.pl create new ones.

    
    

    
  
Yes, I'm sure because I wiped all .htaccess files before on the test system, the only thing I keep during the tests is a database dump and the localconfig.$project files.
Hopefully I have tomorrow some spare time to do another test, also with the new mod_perl-2.9.0-rc2.

    
    

    
  
(In reply to olli hauer from comment #22)
> Hopefully I have tomorrow some spare time to do another test, also with the
> new mod_perl-2.9.0-rc2.

Ah, you are testing with mod_perl enabled? mod_perl 2.0.8 and older are known to fail with Apache 2.4, see bug 1138463. Last time I tested with mod_perl-2.9.0-dev, it was still broken. Let me know if they fixed the problem in 2.9.0rc2.

    
    

    
  
No, until now not tested with the new mod_perl (was to late for today).

The new mod_perl rc2 seems really usable with apache22 and apache24 with every MPM combination (at last all tests went OK on my other test systems).
http://www.freshports.org/www/mod_perl2/

    
    

    
  
Internal server error after uograding

OS OSX Yosemite

Server version: Apache/2.4.10 (Unix)

bugzilla_5.0rc3

[Sun Jun 28 11:26:26.664537 2015] [core:alert] [pid 28820] [client ::1:59506] /Library/WebServer/Documents/bugzilla/.htaccess: Require not allowed here

    
    

    
  
I had errors like "/var/www/html/bugzilla/.htaccess: Require not allowed here, referer: http://xxx"

I used the provided Apache config from https://bugzilla.readthedocs.org/en/5.0/installing/apache.html but had to add one more parameter to make it "AllowOverride Limit FileInfo Indexes Options AuthConfig".

    
    

    
  
I found why some of you still get the ".htaccess: Require not allowed here" error! In httpd.conf, our documentation recommends to write:

  AllowOverride Limit FileInfo Indexes Options

Per the Apache documentation, Limit is used to permit the Allow, Deny and Order directives inside .htaccess. But Apache 2.4 no longer uses Allow nor Deny, but Require. But in order to use this directive, you must add AuthConfig to AllowOverride:

  AllowOverride Limit FileInfo Indexes Options AuthConfig


I filed bug 1223790 to fix the documentation.

    
    

    
  
If so, isn't that actually a bug in the "AllowOverride" statement, because it should interpret "Limit" like it did in 2.2?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: