0021588: Update .htaccess files to support Apache 2.4 new authz syntax - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0021588	mantisbt	security	public	2016-08-03 12:05	2017-02-01 22:47

Reporter	dregad	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	N/A
Status	closed	Resolution	fixed
Target Version	1.3.6	Fixed in Version	1.3.6

Summary	0021588: Update .htaccess files to support Apache 2.4 new authz syntax
Description	Apache 2.4 introduced significant changes in authorization configuration [1]. We should adapt our .htaccess files to support the new syntax if available, while maintaining compatibility with 2.2 syntax as suggested in [2]. [1] https://httpd.apache.org/docs/trunk/upgrading.html#run-time [2] http://blog.plee.me/2013/07/access-control-via-hybrid-htaccess-for-both-apache-httpd-2-2-and-2-4/
Additional Information	This was initially reported on IRC by user CRCinAU http://mantisbt.org/irclogs/mantisbt/2016/mantisbt.2016-07-11.log.html#t2016-07-11T04:05:58
Tags	No tags attached.

CRCinAU 2016-12-30 20:56 reporter ~0054881 Last edited: 2017-01-13 05:48	I'd like to give this a nudge. It still hasn't been fixed in the 2.0.0 release. It currently makes any .htaccess restrictions useless for apache 2.4 users out of the box. I use / create the following to overwrite any current .htaccess file in the source tree: `# Apache 2.4 <IfModule mod_authz_core.c> Require all denied </IfModule> # Apache 2.2 <IfModule !mod_authz_core.c> Order Allow,Deny Deny from all </IfModule>`

dregad 2016-12-31 18:59 developer ~0054882	Sorry, this fell off the radar.

dregad 2017-01-13 12:26 developer ~0055106	Targetting 1.3.x since we support (and recommend) Apache 2.4 there

dregad 2017-01-13 12:46 developer ~0055107	PR https://github.com/mantisbt/mantisbt/pull/994

MantisBT: master-1.3.x f1f8658a 2017-01-13 07:29 dregad Details Diff	.htaccess files Apache 2.4 compatibility update The .htaccess files used to restrict access to specific directories follow the Apache 2.2 mod_authz_host module syntax [1] (Order, Allow, Deny). Apache 2.4 introduced a new module mod_authz_core [2], with a different, incompatible directive (Require). Consequently, unless the compatibility module access_compat is enabled, the obsolete ones will cause Apache configuration errors to occur when the .htaccess file is read. To avoid this, the .htaccess files are modified to use the new syntax when an Apache 2.4 server is detected, and fall back to the old directives otherwise. Fixes 0021588 [1] https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html [2] https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html	Affected Issues 0021588
	mod - config/.htaccess	Diff File
	mod - core/.htaccess	Diff File
	mod - doc/.htaccess	Diff File
	mod - lang/.htaccess	Diff File
	mod - library/.htaccess	Diff File
	mod - library/README.md	Diff File
	mod - library/securimage	Diff File
	mod - plugins/.htaccess	Diff File
	mod - scripts/.htaccess	Diff File