https://bz.apache.org/bugzilla/show_bug.cgi?id=58528
Bug ID: 58528
Summary: .htaccess access with default settings, probably
misparsing of AllowOverrideList
Product: Apache httpd-2
Version: 2.4.16
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Core
Assignee: [email protected]
Reporter: [email protected]
I am trying to get HTTPD 2.4.16 to not access any .htaccess files in the
filesystem, but it seems to fail.
Checking with procmon (think strace for windows..), i see the httpd.exe process
is touching a lot of .htaccess files with win32 CreateFile() when loading the
favicon.ico.
It touches: d:\.htaccess and then every dir all the way up to the location
where favicon.ico is stored. A debugger confirms it is done
core/ap_directory_walk().
It should not touch the .htaccess parsing, but this code does not trigger:
/* No htaccess in an incomplete root path,
* nor if it's disabled
*/
if (seg < startseg || (!opts.override && opts.override_list == NULL)) {
break;
}
opts.override_list is non-NULL (pointing to some address in memory).
Looking at the code that sets override_list (in core.c / set_override_list()),
this smells fishy:
d->override_list = apr_table_make(cmd->pool, argc);
for (i=0;i<argc;i++){
if (!strcasecmp(argv[i], "None")) {
if (argc != 1) {
return "'None' not allowed with other directives in "
"AllowOverrideList";
}
return NULL;
}
...
d->override_list gets initialized with an empty table, but is not cleared in
the 'None' branch, when the return NULL is hit. So the above check on
opts.override_list == NULL would fail (if this value ends up there).
Not sure if that is the issue, but the effect is that .htaccess files get
touched, even though they should not be touched.
I have a rather trivial httpd.conf:
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule alias_module modules/mod_alias.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule log_config_module modules/mod_log_config.so
<VirtualHost *:8080>
ServerName localhost
Protocol http
DocumentRoot "d:/code/trunk_clean/cdb"
</VirtualHost>
Listen 8080
PidFile "d:/temp/httpd.pid"
<Directory "/">
AllowOverride None
AllowOverrideList None
</Directory>
<Directory "d:/code/trunk_clean/cdb">
AllowOverride None
AllowOverrideList None
</Directory>
# Setup logging
ErrorLog "d:/temp/apache_error.log"
LogLevel warn
# We create our runtime files in the tempdir
DefaultRuntimeDir "d:/temp"
Alias "/favicon.ico" "d:/code/trunk_clean/cdb/w3/images/favicon.ico"
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
