https://issues.apache.org/bugzilla/show_bug.cgi?id=41760
--- Comment #15 from Matt McCutchen <[email protected]> 2009-09-22 18:55:09 PDT --- So I believe unruh, Mikel, and I are in agreement that the current semantic of "AllowOverride None" is a gratuitous special case that is harmful to security. I'll recap the argument in case it isn't clear. The normal effect of omitting a directive-type from AllowOverride is to forbid the use of those directives in htaccess; if Apache finds one, it raises a 500 Internal Server Error. This is a good thing: if for any reason a directive-type is removed from AllowOverride in the master configuration, sites using it stop working rather than become vulnerable. With "AllowOverride Foo", where Foo is a hypothetical directive-type that contains zero directives, an htaccess file containing any directives at all would give a 500 error. But when we get to "AllowOverride None", the behavior suddenly changes: in effect, all directives are silently ignored. My web host, DreamHost, centrally manages the master Apache configuration but uses essentially "AllowOverride All". In this way, they leverage the careful thought the developers put into which Apache directives are safe enough for shared hosting to have htaccess context. They expose a limited amount of the remaining functionality through the customer control panel. Comment #4 and comment #9 seem to be claiming that htaccess is not supported for security. I certainly hope that's not the case; if it is, an giant warning in the manual would be warranted, and web hosts will be deprived of a convenient way to offer a safe subset of Apache functionality to their customers. I understand that changing the behavior of "AllowOverride None" would break existing configurations, which is bad. But at least it should be deprecated in favor of a new "AccessFileName none" syntax, which is the completely logical way to say that no access files should be recognized. Then I would like a new syntax, perhaps "AllowOverride RejectAll", to process htaccess files but with no directive-types allowed. Shall I reopen? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
