DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44262>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44262

           Summary: AllowOverride Options= grants the permission of the
                    'All' option.
           Product: Apache httpd-2
           Version: 2.2.6
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: [email protected]
        ReportedBy: [EMAIL PROTECTED]


If one option is permitted, 'All' is permitted. 
Impact:
The user can use CGI/SSI/Symlink from any place with own .htaccess.
Example:

httpd.conf:
<Directory "/home/*/public_html">
    AllowOverride Options=Indexes
    Options Indexes
</Directory>

/home/user/public_html/.htaccess:
Options +All


source code:
httpd-2.2.6/server/core.c line 1461:
         if (!(cmd->override_opts & opt) && opt != OPT_NONE) {

When opt contains two or more bits, override_opts passes any bits of opt.
In 2.2.6 cases, OPT_ALL is defined 
as "(OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)".

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to