.htaccess incorrectly assumes that Apache 2.2.x can read new 2.4 directives

RESOLVED FIXED in Bugzilla 4.4

Status

()

Bugzilla
Installation & Upgrading
--
major
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: Aram Mirzadeh, Assigned: Frédéric Buclin)

Tracking

({regression})

4.4.8
Bugzilla 4.4
regression
Bug Flags:
approval +
approval5.0 +
approval4.4 +

Details

Attachments

(3 attachments)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36

Steps to reproduce:

OS: CentOS 6.5 (final) - 64bit

Server version: Apache/2.2.15 (Unix)
Server built:   Jul 23 2014 14:17:29

Contains: AllowOverride Limit FileiNfo Indexes Options

# git clone --branch 4.4 https://git.mozilla.org/bugzilla/bugzilla bugzilla
# cp <working>/localconfig ./bugzilla
# cd bugzilla
# ./testserver.pl <url>



Actual results:

# ./testserver.pl http://localhost/bugs/
TEST-OK Webserver is running under group id in $webservergroup.
TEST-FAILED Fetch of images/padlock.png failed
Your web server could not fetch 
http://localhost/bugs/images/padlock.png.
Check your web server configuration and try again.

# tail ..../error_log
[Tue Feb 17 10:14:30 2015] [alert] [client x.x.x.x] /<path>/.htaccess: Require not allowed here



Expected results:


To fix this:

git diff
diff --git a/.htaccess b/.htaccess
index d5bc8b2..3b464a4 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,16 +1,6 @@
 # Don't allow people to retrieve non-cgi executable files or our private data
 <FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
-  <IfModule mod_version.c>
-    <IfVersion <= 2.2>
-     Deny from all
-    </IfVersion>
-    <IfVersion > 2.2>
-      Require all denied
-    </IfVersion>
-  </IfModule>
-  <IfModule !mod_version.c>
-    Deny from all
-  </IfModule>
+  deny from all
 </FilesMatch>
 
 Options -Indexes
(Assignee)

Comment 1

3 years ago
You use Apache 2.2.15, so your web server is not supposed to read "Require all denied" but "Deny from all". I cannot reproduce using Apache 2.2.15 on RHEL 6.6.
Assignee: general → installation
Component: Bugzilla-General → Installation & Upgrading
Depends on: 1121477
(Reporter)

Comment 2

3 years ago
If I'm reading this right: 

VERSION = 2.2.15 
mod_version is enabled

<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
  <IfModule mod_version.c> <!-- true -->
    <IfVersion <= 2.2> <!--  2.2.15 <= 2.2 ==> false -->
      Deny from all
    </IfVersion>
    
    <IfVersion > 2.2> <!-- 2.2.15 > 2.2 ==> true --> 
      Require all denied   <!-- invalid command --> 
    </IfVersion>
  </IfModule>
  <IfModule !mod_version.c>
    Deny from all
  </IfModule>
</FilesMatch>
(Reporter)

Comment 3

3 years ago
I believe the break you're looking for is Apache 2.2 -> 2.4 not 2.0 -> 2.2.

<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
  <IfModule mod_version.c>
    <IfVersion <= 2.4>
      Deny from all
    </IfVersion>
    <IfVersion > 2.4>
      Require all denied
    </IfVersion>
  </IfModule>
  <IfModule !mod_version.c>
    Deny from all
  </IfModule>
</FilesMatch>
(Assignee)

Comment 4

3 years ago
(In reply to Aram Mirzadeh from comment #2)
>     <IfVersion <= 2.2> <!--  2.2.15 <= 2.2 ==> false -->

>     <IfVersion > 2.2> <!-- 2.2.15 > 2.2 ==> true --> 

Oh yes, you are right! The Apache doc says that if the patch number is not given, it's assumed to be 0, so 2.2 translates to 2.2.0, not the 2.2 branch. Thanks for catching that!
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking5.0?
Flags: blocking4.4.9?
Keywords: regression
Summary: .htaccess: Require not allowed here → .htaccess incorrectly assumes that Apache 2.2.x can read new 2.4 directives
Target Milestone: --- → Bugzilla 4.4
(Assignee)

Comment 5

3 years ago
(In reply to Aram Mirzadeh from comment #3)
>     <IfVersion <= 2.4>
>       Deny from all
>     </IfVersion>

This one is not correct. It should be < 2.4.


>     <IfVersion > 2.4>
>       Require all denied
>     </IfVersion>

And this one should be >= 2.4.
(Assignee)

Comment 6

3 years ago
The rule is: never use <= (< x.y is safe, >= x.y is safe, but <= x.y is not, nor is > x.y).
(Reporter)

Comment 7

3 years ago
Agreed, and tested with both versions it works.
(Reporter)

Comment 8

3 years ago
Since I saw the version changed to 4.4.x 
latest released 4.4 branch is: 

<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
  deny from all
</FilesMatch>

This maybe a 5.0+ change only.
(Assignee)

Comment 9

3 years ago
Created attachment 8566671 [details] [diff] [review]
patch, v1 (master)
Assignee: installation → LpSolit
Status: NEW → ASSIGNED
Attachment #8566671 - Flags: review?(dkl)
Comment on attachment 8566671 [details] [diff] [review]
patch, v1 (master)

Review of attachment 8566671 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl but this only applies cleanly to trunk. We will need a new patch for 5.0 and older.
Attachment #8566671 - Flags: review?(dkl) → review+

Updated

3 years ago
Attachment #8566671 - Attachment description: patch, v1 → patch, v1 (master)
(Assignee)

Comment 11

3 years ago
Created attachment 8566695 [details] [diff] [review]
patch for 5.0, v1
Attachment #8566695 - Flags: review?(dkl)
(Assignee)

Comment 12

3 years ago
Created attachment 8566704 [details] [diff] [review]
patch for 4.4, v1
Attachment #8566704 - Flags: review?(dkl)
Comment on attachment 8566695 [details] [diff] [review]
patch for 5.0, v1

Review of attachment 8566695 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #8566695 - Flags: review?(dkl) → review+
Comment on attachment 8566704 [details] [diff] [review]
patch for 4.4, v1

Review of attachment 8566704 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #8566704 - Flags: review?(dkl) → review+

Updated

3 years ago
Flags: approval?
Flags: approval5.0?
Flags: approval4.4?
Flags: blocking5.0?
Flags: blocking4.4.9?
Flags: approval?
Flags: approval5.0?
Flags: approval5.0+
Flags: approval4.4?
Flags: approval4.4+
Flags: approval+
(Assignee)

Comment 15

3 years ago
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   720e7d4..638dc65  master -> master

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   9f1e365..639b50f  5.0 -> 5.0

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   0a18f0f..39a7bb9  4.4 -> 4.4
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 16

3 years ago
This should be tested against 2.5 not 2.4.

For example httpd v2.4.6 would fall to "Require" which is a 2.5 directive.

index 2f00969..85850b7 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,10 +1,10 @@
 # Don't allow people to retrieve non-cgi executable files or our private data
 <FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
   <IfModule mod_version.c>
-    <IfVersion < 2.4>
+    <IfVersion < 2.5>
       Deny from all
     </IfVersion>
-    <IfVersion >= 2.4>
+    <IfVersion >= 2.5>
       Require all denied
     </IfVersion>
   </IfModule>
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 17

3 years ago
The Apache documentation says that this directive is understood since httpd 2.3, not 2.5.

  http://httpd.apache.org/docs/current/en/mod/mod_authz_core.html#require
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 18

3 years ago
Oddly enough 2.4.6 seems to be ok with it in httpd.conf but not in .htaccess.

# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Jan 12 2015 13:22:31

# ./testserver.pl http://localhost/bugs
TEST-OK Webserver is running under group id in $webservergroup.
TEST-FAILED Fetch of images/padlock.png failed
Your web server could not fetch http://localhost/bugs/images/padlock.png.
Check your web server configuration and try again.

# tail error_log
[Mon Mar 02 11:06:36.891578 2015] [core:alert] [pid 32596] [client 127.0.0.1:18522] /opt/bugzilla5/.htaccess: Require not allowed here

# sed -i 's/2\.4/2\.5/' .htaccess
# ./testserver.pl http://localhost/bugs
TEST-OK Webserver is running under group id in $webservergroup.
TEST-OK Got padlock picture.
TEST-OK Webserver is executing CGIs via mod_cgi.
TEST-OK Webserver is preventing fetch of http://localhost/bugs/localconfig.

Updated

3 years ago
Blocks: 1138463
(Assignee)

Updated

3 years ago
No longer blocks: 1138463

Comment 19

3 years ago
Okay, understood. Please assign to me, I'll provide a patch.

Comment 20

2 years ago
Hm, the new htaccess file from 4.4.9 and 5.0rc is broken.
On apache24 (2.4.12) access is denied if mod_version is loaded, to get access again to bugzilla 4.4.9 or 5.0rcx mod_version should be turned of.
(Assignee)

Comment 21

2 years ago
(In reply to olli hauer from comment #20)
> Hm, the new htaccess file from 4.4.9 and 5.0rc is broken.
> On apache24 (2.4.12) access is denied if mod_version is loaded, to get
> access again to bugzilla 4.4.9 or 5.0rcx mod_version should be turned of.

I have Apache 2.4.7 and mod_version enabled, and things are working fine. Are you sure you don't have an old .htaccess file? Bugzilla doesn't fix existing .htaccess files. You have to manually delete old ones and let checksetup.pl create new ones.

Comment 22

2 years ago
Yes, I'm sure because I wiped all .htaccess files before on the test system, the only thing I keep during the tests is a database dump and the localconfig.$project files.
Hopefully I have tomorrow some spare time to do another test, also with the new mod_perl-2.9.0-rc2.
(Assignee)

Comment 23

2 years ago
(In reply to olli hauer from comment #22)
> Hopefully I have tomorrow some spare time to do another test, also with the
> new mod_perl-2.9.0-rc2.

Ah, you are testing with mod_perl enabled? mod_perl 2.0.8 and older are known to fail with Apache 2.4, see bug 1138463. Last time I tested with mod_perl-2.9.0-dev, it was still broken. Let me know if they fixed the problem in 2.9.0rc2.

Comment 24

2 years ago
No, until now not tested with the new mod_perl (was to late for today).

The new mod_perl rc2 seems really usable with apache22 and apache24 with every MPM combination (at last all tests went OK on my other test systems).
http://www.freshports.org/www/mod_perl2/

Comment 25

2 years ago
Internal server error after uograding

OS OSX Yosemite

Server version: Apache/2.4.10 (Unix)

bugzilla_5.0rc3

[Sun Jun 28 11:26:26.664537 2015] [core:alert] [pid 28820] [client ::1:59506] /Library/WebServer/Documents/bugzilla/.htaccess: Require not allowed here

Comment 26

2 years ago
I had errors like "/var/www/html/bugzilla/.htaccess: Require not allowed here, referer: http://xxx"

I used the provided Apache config from https://bugzilla.readthedocs.org/en/5.0/installing/apache.html but had to add one more parameter to make it "AllowOverride Limit FileInfo Indexes Options AuthConfig".
(Assignee)

Comment 27

2 years ago
I found why some of you still get the ".htaccess: Require not allowed here" error! In httpd.conf, our documentation recommends to write:

  AllowOverride Limit FileInfo Indexes Options

Per the Apache documentation, Limit is used to permit the Allow, Deny and Order directives inside .htaccess. But Apache 2.4 no longer uses Allow nor Deny, but Require. But in order to use this directive, you must add AuthConfig to AllowOverride:

  AllowOverride Limit FileInfo Indexes Options AuthConfig


I filed bug 1223790 to fix the documentation.

Comment 28

2 years ago
If so, isn't that actually a bug in the "AllowOverride" statement, because it should interpret "Limit" like it did in 2.2?
You need to log in before you can comment on or make changes to this bug.