Bug 52824 - Conflicts between AllowOverride and AllowOverrideList (Manual is completely wrong!)
Summary: Conflicts between AllowOverride and AllowOverrideList (Manual is completely w...
Status: NEEDINFO
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.4.1
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-04 22:19 UTC by Tianyin Xu
Modified: 2012-07-11 01:59 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tianyin Xu 2012-03-04 22:19:55 UTC
This is not a duplicate bug of 52823 (https://issues.apache.org/bugzilla/show_bug.cgi?id=52823)

The confusion comes from the weird relationship between AllowOverride and AllowOverrideList. Take a look at the example in the manual:

http://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist

-----

Example:

AllowOverride AuthConfig
AllowOverrideList CookieTracking CookieName

In the example above AllowOverride grants permission to the AuthConfig directive grouping and AllowOverrideList grants permission to only two directves from the FileInfo directive grouping. All others will cause an internal server error.

-----

It clearly tells that AuthConfig group as well as CookieTracking and CookieName are allowed in the .htaccess files.

However, if you put directives of the AuthConfig group, you will get error messages in the error log and Apache will not parse these directives.

So, this is completely wrong according to the manual. Or, manual is completely wrong?

If you trace the source code, the AllowOverrideList maintains a table (override_list) which is in the core_dir_config structure. All the parameters of AllowOverrideList are set in this table.

When parsing a .htaccess file, before calling invoke_cmd(), Apache checks whether cmd->name is in this table. If not, it will go to an error return no matter whether this cmd's group is allowed in AllowOverride.    

The code is shown as follows:

-----

static const char *invoke_cmd(const command_rec *cmd, cmd_parms *parms,
                              void *mconfig, const char *args)
{
    ......

    /** Have we been provided a list of acceptable directives? */
    if(parms->override_list != NULL)
         if(apr_table_get(parms->override_list, cmd->name) != NULL)
               override_list_ok = 1;

    if ((parms->override & cmd->req_override) == 0 && !override_list_ok)
        if (parms->override & NONFATAL_OVERRIDE) {
            ap_log_perror(APLOG_MARK, APLOG_WARNING, 0, parms->temp_pool,
                          APLOGNO(02295)
                          "%s in .htaccess forbidden by AllowOverride",
                          cmd->name);
            return NULL;
        }
        else {
            return apr_pstrcat(parms->pool, cmd->name,
                               " not allowed here", NULL);
        }
    }
    //invoke the corresponding directive function
    ...
}

-----

My test case is to put the following configuration entries into the httpd.conf

-----

#in httpd.conf
#both the Indexes group and AuthDBMGroupFile should be allowed
<Directory />
    AllowOverride Indexes
    AllowOverrideList AuthDBMGroupFile
</Directory>

-----

Then, put a .htaccess file in the DocumentRoot directory with the following lines:

-----

#DirectoryIndex is a directory in the Indexes group according to the manual
DirectoryIndex index.html

----- 

Start the httpd server and use browser to access:

ipaddress:port/documentroot/file

You will get the error log message in the error log:

[Sun Mar 04 13:09:27.492655 2012] [core:alert] [pid 24509:tid 140634204722944] [client 132.239.17.127:57257] /home/tianyin/apache-2.4.1/htdocs/.htaccess: DirectoryIndex not allowed here


Thanks a lot!
Comment 1 Stefan Fritsch 2012-03-19 21:39:39 UTC
I can't reproduce this with your example config. Maybe you have another AllowOverrideList line in your config that overrides the one with AuthDBMGroupFile?

And I think the code is ok: If the AllowOverride from parms->override does not match and we don't have a match from AllowOverrideList (override_list_ok), we get an error. If any of the two matches, we don't get an error.
Comment 2 Tianyin Xu 2012-03-19 23:16:09 UTC
(In reply to comment #1)
> I can't reproduce this with your example config. Maybe you have another
> AllowOverrideList line in your config that overrides the one with
> AuthDBMGroupFile?
> 
> And I think the code is ok: If the AllowOverride from parms->override does not
> match and we don't have a match from AllowOverrideList (override_list_ok), we
> get an error. If any of the two matches, we don't get an error.

Hi, Stefan, 

Thanks a lot for the response!

I do not have another AllowOverride or AllowOverrideList, and I replayed it.
The point here is not the AuthDBMGroupFile but the DirectoryIndex.

To make the thing more clear, let me explain a bit more.

(1) According to the example in AllowOverrideList
http://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist

The following setting should allow two things: (1) Allow the Indexes directive grouping; (2) the AuthDBMGroupFile directive which is in the AuthConfig grouping.

<Directory />
    AllowOverride Indexes
    AllowOverrideList AuthDBMGroupFile
</Directory>

(2) According to the description of AllowOverride:
http://httpd.apache.org/docs/2.4/mod/core.html#allowoverride

DirectoryIndex belongs to the Indexes grouping.

So, having (1) and (2), I suppose the DirectoryIndex directive should be allowed in the .htaccess in the /. However, it is not allowed with the error message shown in the last email. This is verified by the code logic: the DirectoryIndex passed the AllowOverride checking but failed in the AllowOverrrideList checking (i.e., the code snippets I showed in the previous email).

Am I right, Stefan? Or I misunderstood sth? Please let me know :-)
Comment 3 Eric Covener 2012-07-11 01:59:17 UTC
I was not able to reproduce the behavior either.