You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Stefan Walter <wa...@inf.ethz.ch> on 2000/04/15 21:25:47 UTC

general/5993: AllowOverride should have a 'CheckNone' and 'AllowNone' argument instead of only 'None'

>Number:         5993
>Category:       general
>Synopsis:       AllowOverride should have a 'CheckNone' and 'AllowNone' argument instead of only 'None'
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Sat Apr 15 12:30:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     walter@inf.ethz.ch
>Release:        1.3.11
>Organization:
apache
>Environment:
SunOS dump 5.6 Generic_105181-17 sun4u sparc SUNW,Ultra-250
>Description:
'AllowOverride None' instructs Apache to ignore all .htaccess files within the
directory tree it is applied to while for instance 'AllowOverride Indexes'
causes Apache to give a server error when a .htaccess file in the path attemts
to override anything other than Indexes. This is stated in the documentation
but it is not a consistent behaviour.

There is currently no feature that allows the httpd admin to turn off all
overrides and cause a server error when a .htaccess file attempts to override
anything at all. The only workaround is to allow overrides of some unimportant
feature (indexes for instance). 

Many admins use 'AllowOverride None' if no overrides are believed to be needed.
This is dangerous and should be warned about. Our site had repeated
problems with users who tried to restrict access to their documents via
.htaccess file and deny/allow and who did not find out that the restriction
was ignored because of 'AllowOverride None'.
>How-To-Repeat:

>Fix:
Add the capability to really allow no options at all when the admin
specifies 'AllowOverride AllowNone'. Add an alias called 'CheckNone'
for 'None'.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]