asf-tooling opened a new issue, #1082: URL: https://github.com/apache/tooling-trusted-releases/issues/1082
**ASVS Level(s):** L1 **Description:** ### Summary The Apache configuration for the /downloads/ directory does not explicitly set `AllowOverride None`, relying instead on Apache 2.4's default behavior. While the default is secure, explicit configuration provides defense-in-depth and prevents potential misconfiguration. In the unlikely scenario where AllowOverride is changed from default, uploaded .htaccess files could override `SetHandler none` and enable script execution. ### Details In `tooling-vm-ec2-de.apache.org.yaml` at lines 49-62 and 105-117, the <Directory> blocks for the downloads directory do not explicitly set `AllowOverride None`. This creates a defense-in-depth gap if Apache's default configuration is changed or overridden. ### Recommended Remediation Make the security configuration explicit by adding 'AllowOverride None' to both Apache <Directory> blocks in the YAML configuration for the downloads directory. ### Acceptance Criteria - [ ] AllowOverride None added to both <Directory> blocks - [ ] Apache configuration reloaded successfully - [ ] Integration test verifying .htaccess files are ignored - [ ] Unit test verifying the fix ### References - Source reports: L1:5.3.1.md - Related findings: FINDING-122, FINDING-236 - ASVS sections: 5.3.1 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
