Writing new module for Apache 2.0

[Prajakt Deolasee]

Hi All,

I am trying to write a new module for post processing of the response.
I am using Apache 2.0 as a reverse proxy.

I wrote a modeul called mod_xyz. Apache could load the module properly
and the xyz_register_hook method was also called properly. In the hook
function I wrote following code,

static void xyz_register_hook(apr_pool_t *p)
{
xyz_hook_response_handler(ap_xyz_response_handler, NULL, NULL, 
APR_HOOK_REALLY_LAST);
}

and ap_xyz_response_handler function looks like this,

int ap_xyz_response_handler(request_rec *r)
{
  printf(Hello);
 // Send a message to stderr (apache redirects this to the error log)
  fprintf(stderr,apache2_mod_tut1: A request was made.\n);

  // We need to flush the stream for messages to appear right away.
  // Performing an fflush() in a production system is not good for
  // performance - don't do this for real.
  fflush(stderr);

  // Return DECLINED so that the Apache core will keep looking for
  // other modules to handle this request.  This effectively makes
  // this module completely transparent.
  return DECLINED;
}

But this function is never called. Can somebody tell me whats wrong with this.

-Prajakt

Re: Renames (Gee, it's a mail from thom, it must be renames)

[Jeff Trawick]

Thom May [EMAIL PROTECTED] writes:

 So what is the consensus with the renames? The patch is available from
 http://cvs.apache.org/~thommay/full-rename-diff and seems good - it builds
 and passes tests on (at least) BeOS and OS X.
 Also, httpd and svn don't need any changes to still work - the functions are
 all wrapped by the old names. So it's just binary compatibility that's the
 problem.

But binary incompatibility breaks the notion of a stable httpd API.
Can we hold off until Sander tags everything for an httpd release?
(I guess Sander is still planning to tag.)

-- 
Jeff Trawick | [EMAIL PROTECTED]
Born in Roswell... married an alien...

Re: Writing new module for Apache 2.0

[Jeff Trawick]

Prajakt Deolasee [EMAIL PROTECTED] writes:

 static void xyz_register_hook(apr_pool_t *p)
 {
   xyz_hook_response_handler(ap_xyz_response_handler, NULL, NULL, 
APR_HOOK_REALLY_LAST);
 }
...
 But this function is never called. Can somebody tell me whats wrong with this.

If you hook it really last then you've hooked it *after* whichever
hook is going to handle it, and subsequent hooks won't be called.

Hook it REALLY_FIRST.

-- 
Jeff Trawick | [EMAIL PROTECTED]
Born in Roswell... married an alien...

Re: mod_usertrack.c modifications and child seg faults

[Jeff Trawick]

Joe Oppegaard [EMAIL PROTECTED] writes:

 Once I switch over to the if statement that first checks for r-content_type
 then calls strcmp, everything works just as expected.
 
 Any ideas on why this is?

the simple answer is because r-content_type has not yet been set at
this point

and if you look at other code in Apache you'll see checks to verify
that r-content_type is actually set

as for why r-content_type isn't set as of the fixup hook on this
particular request, I do not know...  it depends on the config
affecting this request and what other modules are doing

 --- mod_usertrack.c.orig2002-11-19 23:36:26.0 -0800
 +++ mod_usertrack.c 2002-11-19 23:37:55.0 -0800
 @@ -222,8 +222,16 @@
 
  return DECLINED;/* There's already a cookie, no new one */
  }
make_cookie(r);
return OK;  /* We set our cookie */
 +

is this really the right patch?  how do you even get to the code below
given the unconditional return OK right above?

 +
 +/*if (r-content_type  strcmp(r-content_type,text/html) == 0) {*/
 +if (strcmp(r-content_type,text/html) == 0) {
 +make_cookie(r);
 +return OK;
 +}
 +else {
 +return DECLINED;
 +}
  }
 
  static void *make_cookie_log_state(apr_pool_t *p, server_rec *s)

-- 
Jeff Trawick | [EMAIL PROTECTED]
Born in Roswell... married an alien...

Re: mod_usertrack.c modifications and child seg faults

[Joe Oppegaard]

On 20 Nov 2002, Jeff Trawick wrote:
 
 Joe Oppegaard [EMAIL PROTECTED] writes:
 
  Once I switch over to the if statement that first checks for r-content_type
  then calls strcmp, everything works just as expected.
  
  Any ideas on why this is?
 
 the simple answer is because r-content_type has not yet been set at
 this point
 
 and if you look at other code in Apache you'll see checks to verify
 that r-content_type is actually set
 
 as for why r-content_type isn't set as of the fixup hook on this
 particular request, I do not know...  it depends on the config
 affecting this request and what other modules are doing

Ah yes, that's true I noticed that in a few other modules. In trying to 
figure this out, I had thrown in a ap_rprintf statement, and seen 
that r-content_type is actually holding a value at this point.

In the code below this will actually spit back out to the browser what 
the content type is. If I uncomment the if with just the strcmp by 
itself it will segfault. Though when that strcmp statement wasn't there, 
printf showed that value existed at that point, correct? 

Of course, using the if statement that first checks r-content_type 
still works perfect. 

I can handle the answer of that's just how you do it, but I'm confused 
on why.

--- mod_usertrack.c.orig2002-11-19 23:36:26.0 -0800
+++ mod_usertrack.c 2002-11-20 11:29:33.0 -0800
@@ -222,8 +222,18 @@

 return DECLINED;/* There's already a cookie, no new one */
 }
-make_cookie(r);
-return OK;  /* We set our cookie */
+
+
+ap_rprintf(r,r-content_type holds %s, r-content_type);
+/*if (r-content_type  strcmp(r-content_type,text/html) == 0) {*/
+/*if (strcmp(r-content_type,text/html) == 0) {*/
+if (1) {
+   make_cookie(r);
+return OK;
+}
+else {
+return DECLINED;
+}
 }

 static void *make_cookie_log_state(apr_pool_t *p, server_rec *s)



old patch snipped

 is this really the right patch?  how do you even get to the code below
 given the unconditional return OK right above?
 

Oops! There should have been a few minus signs there.

The patch above is correct now though. :)

___
Joe Oppegaard
http://joppegaard.com

GnuPG/PGP Information:
Key: 1024D/272159F6
Keyserver: pgp.mit.edu
By web: http://joppegaard.com/files/0x272159F6.asc

2.0, 2.1 branch, WAS: Re: Renames

[Sander Striker]

Jeff Trawick wrote:


Thom May [EMAIL PROTECTED] writes:
So what is the consensus with the renames? The patch is available from
http://cvs.apache.org/~thommay/full-rename-diff and seems good - it builds
and passes tests on (at least) BeOS and OS X.
Also, httpd and svn don't need any changes to still work - the functions are
all wrapped by the old names. So it's just binary compatibility that's the
problem.


But binary incompatibility breaks the notion of a stable httpd API.
Can we hold off until Sander tags everything for an httpd release?
(I guess Sander is still planning to tag.)


Always useful if Sander responds ;)  Bottom line: I'm not going to tag 
before we branch.
It all comes down to this:
- The auth changes _don't_ break 3rd party auth modules
- We can rename the auth modules and their directives back to their old 
names
 so we don't break existing 2.0 configs
- We must add implicit loading of mod_auth_basic when no auth provider
 was loaded
- AFAIK the renames don't break bin compat, everything is wrapped in stubs

So, we're ok.  We can branch right now, because the state of the tree today
is probable what we want to use as the basis for 2.1/2.2.

Once we get the auth stuff renamed and the implicit loading in place I'll
tag 2.0.44.  My guess is that this will probably happen next week somewhere.
Justin?

Jeff, OtherBill, does httpd-2.0 HEAD contain anything you'd rather not see
rolled into 2.0.44 (apart from the above)?


Sander

Apache 1.3 and invalid headers

[Andy Yang]

Hello all,

Does anyone know what the behaviour of Apache 1.3 is
under the circumstances where the HTTP request or
response contains an invalid request header?

Specifically, when the Connection header contains
something other than 'close'?

It appears to immediately close the connection - can
anyone confirm or deny that this is Apache's behaviour
for both requests and responses?

Thanks,
Andy


__
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com

Re: Apache 1.3 and invalid headers

[Rasmus Lerdorf]

You mean when you send a request header that looks something like this?

~ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.1
Host: localhost
Connection: foo

HTTP/1.1 200 OK
Date: Wed, 20 Nov 2002 22:52:24 GMT
Server: Apache/1.3.28-dev (Unix) PHP/4.3.0RC1
X-Powered-By: PHP/4.3.0RC1
Last-Modified: Wed, 02 Oct 2002 13:34:42 GMT
Transfer-Encoding: chunked
Content-Type: text/html

99d
!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN
html
head
...

I don't get a closed connection right away.  I get all my output (chunked
in this case) and then my connection is closed.

-Rasmus

On Tue, 19 Nov 2002, Andy Yang wrote:

 Hello all,

 Does anyone know what the behaviour of Apache 1.3 is
 under the circumstances where the HTTP request or
 response contains an invalid request header?

 Specifically, when the Connection header contains
 something other than 'close'?

 It appears to immediately close the connection - can
 anyone confirm or deny that this is Apache's behaviour
 for both requests and responses?

 Thanks,
 Andy


 __
 Do you Yahoo!?
 Yahoo! Web Hosting - Let the expert host your site
 http://webhosting.yahoo.com

Re: Apache 1.3 and invalid headers

[Roy T. Fielding]

Does anyone know what the behaviour of Apache 1.3 is
under the circumstances where the HTTP request or
response contains an invalid request header?

Specifically, when the Connection header contains
something other than 'close'?


There is nothing invalid about that -- connection is completely
extensible.


It appears to immediately close the connection - can
anyone confirm or deny that this is Apache's behaviour
for both requests and responses?


It does not close the connection on that basis.  What you are
probably seeing is a server that is configured with keepalive off,
in which case all connections are closed regardless of what is
received in Connection.

Roy

[Patch] Be more selective on includes

[Thom May]

This is in response to a debian bug request; basically it just tightens up
the list of allowed characters, so we don't include .dotfiles and backups
etc.
Thoughts?
-Thom

Index: server/config.c
===
RCS file: /home/cvspublic/httpd-2.0/server/config.c,v
retrieving revision 1.156
diff -u -r1.156 config.c
--- server/config.c 12 Sep 2002 20:04:07 -  1.156
+++ server/config.c 21 Nov 2002 01:58:06 -
@@ -76,6 +76,7 @@
 #include apr_portable.h
 #include apr_file_io.h
 #include apr_fnmatch.h
+#include apr_lib.h
 
 #define APR_WANT_STDIO
 #define APR_WANT_STRFUNC
@@ -1434,6 +1435,20 @@
 return strcmp(f1-fname,f2-fname);
 }
 
+static int fname_valid(const char *fname)
+{
+const char *c = fname;
+if (!apr_isalnum(*c)) 
+  return 0;
+++c;
+while (*c) {
+  if(!apr_isalnum(*c)  *c!='_'  *c!='-'  *c!='.')
+return 0;
+  ++c;
+}
+return 1;
+}
+
 AP_DECLARE(void) ap_process_resource_config(server_rec *s, const char *fname,
 ap_directive_t **conftree,
 apr_pool_t *p,
@@ -1510,7 +1525,8 @@
  strcmp(dirent.name, ..)
  (!ispatt ||
 apr_fnmatch(pattern, dirent.name, 
-FNM_PERIOD) == APR_SUCCESS)) {
+FNM_PERIOD) == APR_SUCCESS)
+ fname_valid(dirent.name)) {
 fnew = (fnames *) apr_array_push(candidates);
 fnew-fname = ap_make_full_path(p, path, dirent.name);
 }

Re: [Patch] Be more selective on includes

[André Malo]

* Thom May wrote:

 This is in response to a debian bug request; basically it just tightens up
 the list of allowed characters, so we don't include .dotfiles and backups
 etc.
 Thoughts?

hmm. I don't like it. The most can easily be done with normal wildcard 
matching. If your patch is applied and I have filenames (already), that 
don't match the hardcoded (!) rules, I'm lost.

nd
-- 
sub the($){+shift} sub answer (){ord q
[* It is always 42! *]   }
   print the answer
# André Malo # http://www.perlig.de/ #

Re: [Patch] Be more selective on includes

[Joshua Slive]

On Thu, 21 Nov 2002, André Malo wrote:

 * Thom May wrote:

  This is in response to a debian bug request; basically it just tightens up
  the list of allowed characters, so we don't include .dotfiles and backups
  etc.
  Thoughts?

 hmm. I don't like it. The most can easily be done with normal wildcard
 matching. If your patch is applied and I have filenames (already), that
 don't match the hardcoded (!) rules, I'm lost.

Right.  People should be using
Include conf/*.conf

The docs now explicitly discourage the use of directory includes to avoid
exactly this problem.

Joshua.

[STATUS] (apache-1.3) Wed Nov 20 23:45:11 EST 2002

[Rodent of Unusual Size]

APACHE 1.3 STATUS:  -*-text-*-
  Last modified at [$Date: 2002/10/31 05:57:52 $]

Release:

   1.3.28-dev: In development
   1.3.27: Tagged September 30, 2002. Announced Oct 3, 2002.
   1.3.26: Tagged June 18, 2002.
   1.3.25: Tagged June 17, 2002. Not released.
   1.3.24: Tagged Mar 21, 2002. Announced Mar 22, 2002.
   1.3.23: Tagged Jan 21, 2002.
   1.3.22: Tagged Oct 8, 2001.  Announced Oct 12, 2001.
   1.3.21: Not released.
 (Pulled for htdocs/manual config mismatch. t/r Oct 5, 2001)
   1.3.20: Tagged and rolled May 15, 2001. Announced May 21, 2001.
   1.3.19: Tagged and rolled Feb 26, 2001. Announced Mar 01, 2001.
   1.3.18: Tagged and rolled Not released.
 (Pulled because of an incorrect unescaping fix. t/r Feb 19, 2001)
   1.3.17: Tagged and rolled Jan 26, 2001. Announced Jan 29, 2001.
   1.3.16: Not released.
 (Pulled because of vhosting bug. t/r Jan 20, 2001)
   1.3.15: Not released.
 (Pulled due to CVS dumping core during the tagging when it
  reached src/os/win32/)
   1.3.14: Tagged and Rolled Oct 10, 2000.  Released/announced on the 13th.
   1.3.13: Not released.
 (Pulled in the first minutes due to a Netware build bug)
   1.3.12: Tagged and rolled Feb. 23, 2000. Released/announced on the 25th.
   1.3.11: Tagged and rolled Jan. 19, 2000. Released/announced on the 21st.
   1.3.10: Not released.
 (Pulled at last minute due to a build bug in the MPE port)
1.3.9: Tagged and rolled on Aug. 16. Released and announced on 19th.
1.3.8: Not released.
1.3.7: Not released.
1.3.6: Tagged and rolled on Mar. 22. Released and announced on 24th.
1.3.5: Not released.
1.3.4: Tagged and rolled on Jan. 9.  Released on 11th, announced on 12th.
1.3.3: Tagged and rolled on Oct. 7.  Released on 9th, announced on 10th.
1.3.2: Tagged and rolled on Sep. 21. Announced and released on 23rd.
1.3.1: Tagged and rolled on July 19. Announced and released.
1.3.0: Tagged and rolled on June 1.  Announced and released on the 6th.
   
2.0  : Available for general use, see httpd-2.0 repository

RELEASE SHOWSTOPPERS:

RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:

   * Current vote on 2 PRs for inclusion:
  Bugz #9181 (Unable to set headers on non-2XX responses)
+1: Martin, Jim
  Gnats #10246 (Add ProxyConnAllow directive)
+0: Martin (or rather -.5, see dev@ Message
[EMAIL PROTECTED])

* htpasswd.c and htdigest.c use tmpnam()... consider using
  mkstemp() when available.
Message-ID: [EMAIL PROTECTED]
Status:

* Dean's unescaping hell (unescaping the various URI components
  at the right time and place, esp. unescaping the host name).
Message-ID: [EMAIL PROTECTED]
Status:

* Martin observed a core dump because a ipaddr_chain struct contains
  a NULL-server pointer when being dereferenced by invoking httpd -S.
Message-ID: [EMAIL PROTECTED]
Status: Workaround enabled. Clean solution can come after 1.3.19

* long pathnames with many components and no AllowOverride None
  Workaround is to define Directory / with AllowOverride None,
  which is something all sites should do in any case.
Status: Marc was looking at it.  (Will asks 'wasn't this patched?')

* Ronald Tschalär's patch to mod_proxy to allow other modules to
  set headers too (needed by mod_auth_digest)
Message-ID: [EMAIL PROTECTED]
Status:


Available Patches (Most likely, will be ported to 2.0 as appropriate):

   *  A rewrite of ap_unparse_uri_components() by Jeffrey W. Baker
 [EMAIL PROTECTED] to more fully close some segfault potential.
Message-ID: Pine.LNX.4.21.0102102350060.6815-20@desktop
Status:  Jim +1 (for 1.3.19), Martin +0

* Andrew Ford's patch (1999/12/05) to add absolute times to mod_expires
Message-ID: [EMAIL PROTECTED]
Status: Martin +1, Jim +1, Ken +1 (on concept)

* Raymond S Brand's path to mod_autoindex to fix the header/readme
  include processing so the envariables are correct for the included
  documents.  (Actually, there are two variants in the patch message,
  for two different ways of doing it.)
Message-ID: [EMAIL PROTECTED]
Status: Martin +1(concept)

* Jayaram's patch (10/27/99) for bugfix to mod_autoindex
  IndexIgnore file-extension should hide the files with this file-
  extension in directory listings. This was NOT happening because the 
  total filename was being compared with the file-extension.
  Status: Martin +1(untested), Ken +1(untested)
   
* Salvador Ortiz Garcia [EMAIL PROTECTED]' patch to allow DirectoryIndex
  to refer to URIs for non-static resources.
MID: [EMAIL PROTECTED]
Status: Ken +1 (on concept), Lars +1 (on concept)

* Brian Havard's patch 

[STATUS] (httpd-2.0) Wed Nov 20 23:45:16 EST 2002

[Rodent of Unusual Size]

APACHE 2.0 STATUS:  -*-text-*-
Last modified at [$Date: 2002/11/20 21:43:24 $]

Release:

2.0.44  : in development
2.0.43  : released October 3, 2002 as GA.
2.0.42  : released September 24, 2002 as GA.
2.0.41  : rolled September 16, 2002.  not released.
2.0.40  : released August 9, 2002 as GA.
2.0.39  : released June 17, 2002 as GA.
2.0.38  : rolled June 16, 2002.  not released.
2.0.37  : rolled June 11, 2002.  not released.
2.0.36  : released May 6, 2002 as GA.
2.0.35  : released April 5, 2002 as GA.
2.0.34  : tagged March 26, 2002.
2.0.33  : tagged March 6, 2002.  not released.
2.0.32  : released Feburary 16, 2002 as beta.
2.0.31  : rolled Feburary 1, 2002.  not released.
2.0.30  : tagged January 8, 2002.  not rolled.
2.0.29  : tagged November 27, 2001.  not rolled.
2.0.28  : released November 13, 2001 as beta.
2.0.27  : rolled November 6, 2001
2.0.26  : tagged October 16, 2001.  not rolled.
2.0.25  : rolled August 29, 2001
2.0.24  : rolled August 18, 2001
2.0.23  : rolled August 9, 2001
2.0.22  : rolled July 29, 2001
2.0.21  : rolled July 20, 2001
2.0.20  : rolled July 8, 2001
2.0.19  : rolled June 27, 2001
2.0.18  : rolled May 18, 2001
2.0.17  : rolled April 17, 2001
2.0.16  : rolled April 4, 2001
2.0.15  : rolled March 21, 2001
2.0.14  : rolled March 7, 2001
2.0a9   : released December 12, 2000
2.0a8   : released November 20, 2000
2.0a7   : released October 8, 2000
2.0a6   : released August 18, 2000
2.0a5   : released August 4, 2000
2.0a4   : released June 7, 2000
2.0a3   : released April 28, 2000
2.0a2   : released March 31, 2000
2.0a1   : released March 10, 2000

Please consult the following STATUS files for information
on related projects:

* srclib/apr/STATUS
* srclib/apr-util/STATUS
* docs/STATUS

Contributors looking for a mission:

* just do an egrep on TODO and see what's there


CURRENT RELEASE NOTES:


RELEASE SHOWSTOPPERS:


CURRENT VOTES:

* Adopt backwards compatibility for future Apache 2.0 releases
  such that MMN major number changes and eliminating non-experimental
  modules are deferred for the next minor version bump (e.g. 2.1, 2.2 
  or 3.0).
+1: wrowe, jerenkrantz, aaron, brianp, trawick, stoddard, jwoolley,
rbowen, rederpj, jim, striker
 0: 
-1: 

* Defer the Auth module overhaul to the next minor version bump
  (e.g. 2.1, 2.2, 3.0) on the condition that forward compatibility
  resolution is adopted.
+1: wrowe, aaron, trawick, stoddard, jwoolley, rbowen, gregames,
rederpj, jim
 0: jerenkrantz
-1: striker 

* Adopt an even/odd release paradigm (see VERSIONING) such that
  even numbered releases are stable, and odd numbered releases 
  are development efforts, keeping in the tradition of Linux, 
  Perl, etc.  In pratical terms, this implies C-T-R-T-C, where
  patches are (generally) first applied to the development branch,
  tested, and then (after vote) applied to the stable branch.
+1: wrowe, jerenkrantz, aaron, trawick, stoddard, jwoolley, rbowen,
gregames, rederpj, jim, striker
 0: 
-1: 

* Branch APACHE_2_0_BRANCH today, changing the version in CVS HEAD
  to 2.1.0-dev.
+1 [from APACHE_2_0_43]: wrowe, aaron, trawick, stoddard, jwoolley,
 gregames, rederpj, jim
+1 [from HEAD]: striker
 0: jerenkrantz
-1: 

* httpd-std.conf and friends

  a) httpd-std.conf should be tailored by install (from src or
 binbuild) even if user has existing httpd.conf
 +1:   trawick, slive, gregames, ianh, Ken, wrowe, jwoolley
   wrowe - prefer httpd.default.conf to avoid ambiguity with cvs

  b) tailored httpd-std.conf should be copied by install to
 sysconfdir/examples
 -0:   striker

  c) tailored httpd-std.conf should be installed to
 sysconfdir/examples or manualdir/exampleconf/
 +1:   slive, trawick, Ken

  d) Installing a set of default config files when upgrading a server
 doesn't make ANY sense at all.
 +1:   ianh - medium/big sites don't use 'standard config' anyway, as it
  usually needs major customizations
 -1:   Ken, wrowe, jwoolley, jim
   wrowe - diff is wonderful when comparing old/new default configs,
   even for customized sites that ianh mentions
   jim - ... assuming that the default configs have been updated
 with the required inline docs to explain the
 changes

* If the parent process dies, should the remaining child processes
  gracefully self-terminate. Or maybe we should make it a runtime
  option, or have a concept of 2 parent 

Re: [STATUS] (apache-1.3) long pathnames with many components

[Glenn]

On Wed, Nov 20, 2002 at 11:45:11PM -0500, Rodent of Unusual Size wrote:
 APACHE 1.3 STATUS:-*-text-*-
   Last modified at [$Date: 2002/10/31 05:57:52 $]
[...]
 RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
 
[...]
 * long pathnames with many components and no AllowOverride None
   Workaround is to define Directory / with AllowOverride None,
   which is something all sites should do in any case.
   Status: Marc was looking at it.  (Will asks 'wasn't this patched?')
[...]

Is this a code problem or can the documentation be augmented instead?

DirectoryMatch uses full regexes, but can't be used to enable or
disable AllowOverride (.htaccess) since it is processed _after_
.htaccess files are processed.

But Directory has *, ?, and character class [] wildcards which
can be employed just as well in most cases.  An example:

In my configuration, all public web-related files are nested in
  vhosts:   /pub/u/s/username/vhost.dom/
  userdirs: /pub/u/s/username/homepage/
(Usernames on this system must be at least two chars long
 and must start with two lowercase alphas.  Additionally, since
 users do not have write privileges to the /pub/u/s/username/
 directory, the following also limits the use of the expensive
 SymlinksIfOwnerMatch to all user-controlled files.)

Directory /
Options FollowSymLinks
AllowOverride None
deny from all
/Directory
Directory /pub/[a-z]/[a-z]/*/*
Options SymLinksIfOwnerMatch Indexes IncludesNoExec
AllowOverride FileInfo AuthConfig Limit Indexes
allow from all
/Directory


Another solution is to have a Directory block within each vhost that
allows access to the DocumentRoot of the vhost.  And one for userdirs.

Directory /
Options FollowSymLinks
AllowOverride None
deny from all
/Directory
## (for each vhost)
VirtualHost *
# ...
DocumentRoot /my/document/root
Directory /my/document/root
Options FollowSymLinks Indexes IncludesNoExec
AllowOverride FileInfo AuthConfig Limit Indexes
allow from all
/Directory
/VirtualHost
Directory /home/*/public_html
Options FollowSymLinks Indexes IncludesNoExec
AllowOverride FileInfo AuthConfig Limit Indexes
allow from all
/Directory


And now a question about the code: why bother checking for .htaccess files
outside of valid DocumentRoots (or UserDirs)?  If you need to set directives
above the document root, create a Directory block in httpd.conf.

Also for Apache 3.0, can AllowOverride None be the default?
It is a more secure default, besides providing better performance.

Cheers,
Glenn