View Issue Details

IDProjectCategoryView StatusLast Update
0021588mantisbtsecuritypublic2017-01-15 06:58
Reporterdregad 
Assigned Todregad 
PrioritynormalSeverityminorReproducibilityN/A
Status resolvedResolutionfixed 
Product Version 
Target Version1.3.xFixed in Version1.3.x 
Summary0021588: Update .htaccess files to support Apache 2.4 new authz syntax
Description

Apache 2.4 introduced significant changes in authorization configuration [1].

We should adapt our .htaccess files to support the new syntax if available, while maintaining compatibility with 2.2 syntax as suggested in [2].

[1] https://httpd.apache.org/docs/trunk/upgrading.html#run-time
[2] http://blog.plee.me/2013/07/access-control-via-hybrid-htaccess-for-both-apache-httpd-2-2-and-2-4/

Additional Information

This was initially reported on IRC by user CRCinAU
http://mantisbt.org/irclogs/mantisbt/2016/mantisbt.2016-07-11.log.html#t2016-07-11T04:05:58

TagsNo tags attached.

Relationships

related to 0022194 resolveddregad Update securimage to 3.6.5 

Activities

CRCinAU

CRCinAU

2016-12-30 20:56

reporter   ~0054881

Last edited: 2017-01-13 05:48

View 2 revisions

Id like to give this a nudge. It still hasnt been fixed in the 2.0.0 release.

It currently makes any .htaccess restrictions useless for apache 2.4 users out of the box.

I use / create the following to overwrite any current .htaccess file in the source tree:

# Apache 2.4
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>

# Apache 2.2
<IfModule !mod_authz_core.c>
    Order Allow,Deny
    Deny from all
</IfModule>
dregad

dregad

2016-12-31 18:59

developer   ~0054882

Sorry, this fell off the radar.

dregad

dregad

2017-01-13 12:26

developer   ~0055106

Targetting 1.3.x since we support (and recommend) Apache 2.4 there

dregad

dregad

2017-01-13 12:46

developer   ~0055107

PR https://github.com/mantisbt/mantisbt/pull/994

Related Changesets

MantisBT: master-1.3.x f1f8658a

2017-01-13 12:29:41

dregad

Details Diff
.htaccess files Apache 2.4 compatibility update

The .htaccess files used to restrict access to specific directories
follow the Apache 2.2 mod_authz_host module syntax [1] (Order, Allow,
Deny).

Apache 2.4 introduced a new module mod_authz_core [2], with a different,
incompatible directive (Require). Consequently, unless the compatibility
module access_compat is enabled, the obsolete ones will cause Apache
configuration errors to occur when the .htaccess file is read.

To avoid this, the .htaccess files are modified to use the new syntax
when an Apache 2.4 server is detected, and fall back to the old
directives otherwise.

Fixes 0021588

[1] https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
[2] https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html
mod - config/.htaccess Diff File
mod - core/.htaccess Diff File
mod - doc/.htaccess Diff File
mod - lang/.htaccess Diff File
mod - library/.htaccess Diff File
mod - library/README.md Diff File
mod - library/securimage Diff File
mod - plugins/.htaccess Diff File
mod - scripts/.htaccess Diff File

Issue History

Date Modified Username Field Change
2016-08-03 12:05 dregad New Issue
2016-12-30 20:56 CRCinAU Note Added: 0054881
2016-12-31 18:59 dregad Status new => confirmed
2016-12-31 18:59 dregad Target Version => 2.0.x
2016-12-31 18:59 dregad Note Added: 0054882
2017-01-13 05:48 dregad Note Edited: 0054881 View Revisions
2017-01-13 12:23 dregad Relationship added related to 0022194
2017-01-13 12:25 dregad Assigned To => dregad
2017-01-13 12:25 dregad Status confirmed => assigned
2017-01-13 12:26 dregad Target Version 2.0.x => 1.3.x
2017-01-13 12:26 dregad Note Added: 0055106
2017-01-13 12:46 dregad Note Added: 0055107
2017-01-15 06:58 dregad Changeset attached => MantisBT master-1.3.x f1f8658a
2017-01-15 06:58 dregad Status assigned => resolved
2017-01-15 06:58 dregad Resolution open => fixed
2017-01-15 06:58 dregad Fixed in Version => 1.3.x