[Bug 66167] New: Require all granted in vhost matches, not parsing rewrite rules in .htaccess

bugzilla Fri, 08 Jul 2022 10:23:14 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=66167


            Bug ID: 66167
           Summary: Require all granted in vhost matches, not parsing
                    rewrite rules in .htaccess
           Product: Apache httpd-2
           Version: 2.4.53
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_core
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Apache latest in Debian stable


vhost:
--- --- ---
<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerName sub.domain.tld
        ServerAdmin [email protected]
        DocumentRoot "/var/www/xxx"

        <Directory "/var/www/xxx">
          Options FollowSymlinks
          AllowOverride All
          Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        LogLevel debug rewrite:trace8

<IfModule mod_deflate.c>
 AddOutputFilterByType DEFLATE text/plain
 AddOutputFilterByType DEFLATE text/html
 AddOutputFilterByType DEFLATE text/xml
 AddOutputFilterByType DEFLATE text/css
 AddOutputFilterByType DEFLATE text/javascript
 AddOutputFilterByType DEFLATE image/svg+xml
 AddOutputFilterByType DEFLATE image/x-icon
 AddOutputFilterByType DEFLATE application/xml
 AddOutputFilterByType DEFLATE application/xhtml+xml
 AddOutputFilterByType DEFLATE application/rss+xml
 AddOutputFilterByType DEFLATE application/javascript
 AddOutputFilterByType DEFLATE application/x-javascript

 DeflateCompressionLevel 9

# Browser specific settings
 BrowserMatch ^Mozilla/4 gzip-only-text/html
 BrowserMatch ^Mozilla/4\.0[678] no-gzip
 BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
 BrowserMatch \bOpera !no-gzip 
</IfModule>

Header unset ETag
FileETag None

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access plus 5 seconds"
    ExpiresByType image/x-icon "access plus 604800 seconds"
    ExpiresByType image/jpeg "access plus 604800 seconds"
    ExpiresByType image/jpg "access plus 604800 seconds"
    ExpiresByType image/png "access plus 604800 seconds"
    ExpiresByType image/gif "access plus 604800 seconds"
    ExpiresByType image/svg+xml "access plus 604800 seconds"
    ExpiresByType application/x-shockwave-flash "access plus 604800 seconds"
    ExpiresByType text/css "access plus 604800 seconds"
    ExpiresByType text/javascript "access plus 604800 seconds"
    ExpiresByType application/javascript "access plus 604800 seconds"
    ExpiresByType application/x-javascript "access plus 604800 seconds"
    ExpiresByType application/font-woff "access plus 604800 seconds"
    ExpiresByType application/font-woff2 "access plus 604800 seconds"
    ExpiresByType text/html "access plus 600 seconds"
    ExpiresByType application/xhtml+xml "access plus 600 seconds"
</IfModule>

<IfModule mod_headers.c>
    <filesMatch "\.(ico|jpe?g|png|gif|swf|svg)$">
        Header set Cache-Control "public"
    </filesMatch>
    <filesMatch "\.(css)$">
        Header set Cache-Control "public"
    </filesMatch>
    <filesMatch "\.(js)$">
        Header set Cache-Control "private"
    </filesMatch>
    <filesMatch "\.(x?html?|php)$">
        Header set Cache-Control "private, must-revalidate"
    </filesMatch>
</IfModule>



SSLCertificateFile /etc/letsencrypt/live/sub.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.tld/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
--- --- ---

.htaccess in /var/www/xxx
--- --- ---
RewriteEngine On

# Disables access to myfile.php/something
AcceptPathInfo Off

# Prevent execution of PHP from directories used for different types of uploads
RedirectMatch 403
^/app/(?!courses/proxy)(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403
^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/main/lang/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/web/.*\.ph(p[3457]?|t|tml|ar)$

# http://sub.domain.tld/certificates/?id=123 to
http://sub.domain.tld/certificates/index.php?id=123
RewriteCond %{QUERY_STRING} ^id=(.*)$
RewriteRule ^certificates/$ certificates/index.php?id=%1 [L]

# Course redirection
RewriteRule ^courses/([^/]+)/?$ main/course_home/course_home.php?cDir=$1
[QSA,L]
RewriteRule ^courses/([^/]+)/index.php$
main/course_home/course_home.php?cDir=$1 [QSA,L]

# Rewrite everything in the scorm folder of a course to the download script
# except JS, CSS and some image files, which can be served directly
RewriteRule ^courses/([^/]+)/scorm/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$
app/courses/$1/scorm/$2 [QSA,L]
RewriteRule ^courses/([^/]+)/scorm/(.*)$
main/document/download_scorm.php?doc_url=/$2&cDir=$1 [QSA,L]

# Rewrite everything in the document folder of a course to the download script
# Except certificate resources, which might need to be accessible publicly to
all
RewriteRule ^courses/([^/]+)/document/certificates/(.*)$
app/courses/$1/document/certificates/$2 [QSA,L]
RewriteRule ^courses/([^/]+)/document/(.*)$
main/document/download.php?doc_url=/$2&cDir=$1 [QSA,L]

# Optimize load of custom per-course icons in courses (avoid
download_uploaded_files.php)
RewriteRule
^courses/([^/]+)/upload/course_home_icons/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$
app/courses/$1/upload/course_home_icons/$2 [QSA,L]
# Course upload files
RewriteRule ^courses/([^/]+)/upload/([^/]+)/(.*)$
main/document/download_uploaded_files.php?code=$1&type=$2&file=$3 [QSA,L]

# Rewrite everything in the work folder
RewriteRule ^courses/([^/]+)/work/(.*)$
main/work/download.php?file=work/$2&cDir=$1 [QSA,L]

RewriteRule ^courses/([^/]+)/course-pic85x85.png$
main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_source
[QSA,L]
RewriteRule ^courses/([^/]+)/course-pic.png$
main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_large_source
[QSA,L]

# Redirect all courses/ to app/courses/
RewriteRule ^courses/([^/]+)/(.*)$ app/courses/$1/$2 [QSA,L]

# About session
RewriteRule ^session/(\d{1,})/about/?$ main/session/about.php?session_id=$1
[QSA,L]

# About course
RewriteRule ^course/(\d{1,})/about/?$ main/course_info/about.php?course_id=$1
[QSA,L]

# Issued individual badge friendly URL
RewriteRule ^badge/(\d{1,})/?$ main/badge/issued.php?issue=$1 [QSA,L]

# Issued badges friendly URL
RewriteRule ^skill/(\d{1,})/user/(\d{1,})/?$
main/badge/issued_all.php?skill=$1&user=$2 [L]
# Support deprecated URL (avoid 404)
RewriteRule ^badge/(\d{1,})/user/(\d{1,})/?$
main/badge/issued_all.php?skill=$1&user=$2 [L]

# Support old URLs using the exercice (with a c) folder rather than exercise
RewriteRule ^main/exercice/(.*)$ main/exercise/$1 [QSA,L]
# Support old URLs using the newscorm folder rather than lp
RewriteRule ^main/newscorm/(.*)$ main/lp/$1 [QSA,L]

# service Information
RewriteRule ^service/(\d{1,})$
plugin/buycourses/src/service_information.php?service_id=$1 [L]

# LTI outcome service
RewriteRule ^lti/os$ plugin/ims_lti/outcome_service.php [L]

# This rule is very generic and should always remain at the bottom of .htaccess
# http://my.chamilo.net/jdoe to http://my.chamilo.net/user.php?jdoe
RewriteRule ^([^/.]+)/?$ user.php?$1 [L]

# Deny direct access to user my files
RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$
main/social/download_my_files.php?user_id=$2&file=$3 [QSA,L]

# Deny access
RewriteRule ^(tests|.git) - [F,L,NC]

# Add caching of woff font files to avoid loading 2*15KB each time with Chamilo
# default OpenSans font
AddType application/font-woff .woff .woff2
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType application/font-woff "access plus 1 month"
</IfModule>
--- --- ---


When visiting:
https://sub.domain.tld/app/upload/users/1/1/my_files/image.png

this rule from htaccess should apply:
# Deny direct access to user my files
RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$
main/social/download_my_files.php?user_id=$2&file=$3 [QSA,L]


However, trace says:
--- --- ---
[authz_core:debug] mod_authz_core.c(815): [client xxx] AH01626: authorization
result of Require all granted: granted, referer:
https://sub.domain.tld/app/upload/users/1/1/my_files/image.png
[authz_core:debug] mod_authz_core.c(815): [client xxx] AH01626: authorization
result of <RequireAny>: granted, referer:
https://sub.domain.tld/app/upload/users/1/1/my_files/image.png


No rewrite pattern applied.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 66167] New: Require all granted in vhost matches, not parsing rewrite rules in .htaccess

Reply via email to