Closed Bug 1138463 Opened 10 years ago Closed 10 years ago

mod_perl.pl does not allow Apache 2.4 "Require" directives

Categories

(Bugzilla :: Installation & Upgrading, defect)

Product:
Bugzilla
Component:
Installation & Upgrading
Version:
4.4.8
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1223790

People

(Reporter: dkl, Unassigned)

References

Details

(Keywords: regression)

Attachments

(1 obsolete file)

I have also confirmed this that i get a ISE using the default master .htaccess file when running mod_perl. Interestingly, it does not fail if running under mod_cgi. -> cat /etc/redhat-release CentOS Linux release 7.0.1406 (Core) -> rpm -q httpd httpd-2.4.6-19.el7.centos.x86_64 -> rpm -q mod_perl mod_perl-2.0.8-10.20140624svn1602105.el7.x86_64 If I make the change outlined below, the site works as expected. -- Comment copied from 1133690 -- Oddly enough 2.4.6 seems to be ok with it in httpd.conf but not in .htaccess. # httpd -v Server version: Apache/2.4.6 (CentOS) Server built: Jan 12 2015 13:22:31 # ./testserver.pl http://localhost/bugs TEST-OK Webserver is running under group id in $webservergroup. TEST-FAILED Fetch of images/padlock.png failed Your web server could not fetch http://localhost/bugs/images/padlock.png. Check your web server configuration and try again. # tail error_log [Mon Mar 02 11:06:36.891578 2015] [core:alert] [pid 32596] [client 127.0.0.1:18522] /opt/bugzilla5/.htaccess: Require not allowed here # sed -i 's/2\.4/2\.5/' .htaccess # ./testserver.pl http://localhost/bugs TEST-OK Webserver is running under group id in $webservergroup. TEST-OK Got padlock picture. TEST-OK Webserver is executing CGIs via mod_cgi. TEST-OK Webserver is preventing fetch of http://localhost/bugs/localconfig.
Flags: blocking5.0?
Depends on: 1121477
No longer depends on: 1133690
Target Milestone: --- → Bugzilla 4.4
Version: 5.0 → 4.4.8
(In reply to David Lawrence [:dkl] from comment #0) > If I make the change outlined below, the site works as expected. This is not surprising. You are using the 2.2 syntax in that case.
Summary: .htaccess changes for different versions of apache causes internal server error under mod_perl → Apache 2.4 fails with mod_perl enabled
Flags: blocking5.0? → blocking5.0+
Assigning. Thanks for looking at this.
Assignee: installation → jochen.wiedmann
Status: NEW → ASSIGNED
Per this email from January 2015 http://mail-archives.apache.org/mod_mbox/perl-modperl/201501.mbox/%3CCADED=K4qHxvcBVGDULwwRf5p4ZSTQn_MKD6Nne4gd6jSXC3-RA@mail.gmail.com%3E mod_perl 2.0.8 doesn't support Apache 2.4 yet. So it looks like this is not a Bugzilla bug.
Summary: Apache 2.4 fails with mod_perl enabled → mod_perl 2.0.8 and older do not support Apache 2.4
(In reply to Frédéric Buclin from comment #3) > Per this email from January 2015 > http://mail-archives.apache.org/mod_mbox/perl-modperl/201501.mbox/ > %3CCADED=K4qHxvcBVGDULwwRf5p4ZSTQn_MKD6Nne4gd6jSXC3-RA@mail.gmail.com%3E > mod_perl 2.0.8 doesn't support Apache 2.4 yet. So it looks like this is not > a Bugzilla bug. Whether it will show up in a RHEL/Centos update eventually is another matter. dkl
I can still reproduce this error with mod_perl 2.0.9-dev. I reported this problem upstream: http://mail-archives.apache.org/mod_mbox/perl-modperl/201503.mbox/%3C54FA23D9.2000301%40gmail.com%3E
Attached patch patch, v1 (obsolete) — Splinter Review
This fixes the problem for me. If mod_perl is present, use the old directives.
Assignee: jochen.wiedmann → LpSolit
Attachment #8574165 - Flags: review?(dkl)
Comment on attachment 8574165 [details] [diff] [review] patch, v1 Review of attachment 8574165 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8574165 - Flags: review?(dkl) → review+
Flags: approval?
Flags: approval5.0?
Flags: approval4.4?
Flags: approval?
Flags: approval5.0?
Flags: approval5.0+
Flags: approval4.4?
Flags: approval4.4+
Flags: approval+
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 64ad8e3..b70bdeb master -> master To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 154e70f..91e0780 5.0 -> 5.0 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 00466e7..f0c2b6b 4.4 -> 4.4
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Summary: mod_perl 2.0.8 and older do not support Apache 2.4 → mod_perl 2.0.8 and older do not support Apache 2.4 directives
Frédéric, are you sure this is the correct fix? I'm getting an error: /var/www/bugzilla/.htaccess: Invalid command 'Deny', perhaps misspelled or defined by a module not included in the server configuration This is CentOS 7 with Apache 2.4 and mod_perl 2.0.8 If I comment out the weird logic then the error goes away. This is what I have and this is how it works: <FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$> <IfModule mod_version.c> <IfVersion < 2.4> Deny from all </IfVersion> <IfVersion >= 2.4> <IfModule mod_perl.c> # Deny from all </IfModule> <IfModule !mod_perl.c> Require all denied </IfModule> </IfVersion> </IfModule> <IfModule !mod_version.c> Deny from all </IfModule> </FilesMatch>
(In reply to sander.lepik from comment #9) > Frédéric, are you sure this is the correct fix? I hope so. :) > This is CentOS 7 with Apache 2.4 and mod_perl 2.0.8 mod_perl 2.0.8 is known to not support Apache 2.4. Does CentOS 7 offers an update to mod_perl 2.0.9? > <IfVersion >= 2.4> > <IfModule mod_perl.c> > # Deny from all > </IfModule> With this line removed, you simply have no rules left, which is why you don't see any error anymore. This also means that your configuration file is now accessible to everyone, including your DB login + password and your secret key!
Yeah, I know, it was just for testing. And I don't think that there will be 2.0.9 for mod_perl, Red Hat is known to not upgrade versions in stable releases. Are there alternatives for mod_perl on Apache? This would solve my problem too but I'm not sure how to configure it.
(In reply to sander.lepik from comment #11) > Are there alternatives for mod_perl on Apache? This would solve my problem > too but I'm not sure how to configure it. If the load on your Bugzilla installation is not too large, you can simple remove mod_perl.
Ok, removed.. Thanks! :)
This fix is actually incorrect! It causes trouble if mod_access_compat is not enabled. The problem is not that mod_perl doesn't understand the Apache 2.4 syntax. The problem is that we forgot to fix mod_perl.pl to allow to override AuthConfig, see bug 1223790. I'm backing out this patch from all branches per my discussion with dkl per email and on IRC: To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 7027d79..b94ffcb master -> master To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 3dbd99b..9177ade 5.0 -> 5.0 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git fab04c6..6c236bc 4.4 -> 4.4
Assignee: LpSolit → installation
Flags: blocking5.0+
Flags: approval5.0+
Flags: approval4.4+
Flags: approval+
Resolution: FIXED → DUPLICATE
Target Milestone: Bugzilla 4.4 → ---
Summary: mod_perl 2.0.8 and older do not support Apache 2.4 directives → mod_perl.pl does not allow Apache 2.4 "Require" directives
Attachment #8574165 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: