https://bz.apache.org/bugzilla/show_bug.cgi?id=69917
Bug ID: 69917
Summary: AllowOverride inside .htacces
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Core
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
.htaccess files provide convinience of configs inside web directories, which
allows developers to affect configs, even if those developers are separated
from website deployment (e.g. CMS developers). On the other hand, allowing all
.htaccess files might provide security risks, as malicious uploaded .htaccess
files can allow code execution in upload directories.
AllowOverride allows website deployers to prevent .htaccess parsing in some
directories, but it requires some security awareness from the deployers.
Since .htaccess files are parsed starting from the root directory and have a
directory scope similar to <Directory> directive, it might be a good idea to
allow AllowOverride inside .htaccess files to block .htaccess files in
subdirectories.
It is not proposed as a security measure, but as a convinience feature to allow
developers to set directory-related options in .htaccess files, instead of
explaining configuration to deployers.
It should not affect existing users, as .htaccess are disabled by default for a
long time. Blocking .htaccess in subdirectories seems not to pose many security
risks, as an attacker capable of altering .htaccess is can use that htaccess to
enable php inside that same file and add the payload in the comment. The only
case when that might pose risks is when that htaccess is restricted in features
by AllowOverride, but that would also require explicitly allowing to use the
proposed new feature, which prevents existing users from being affected.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
