AllowOverride - Mis-behaving Default

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

AllowOverride - Mis-behaving Default

Nigel Peck

Hi,

According to the documentation[1], the default for `AllowOverride` is
`None`, and when `AllowOverride` is set to `None`, .htaccess files are
not read at all.

When I set `AllowOverride` to `None` explicitly, I find that is the
behaviour I see, but when I don't specify it at all, the .htaccess file
is still read and I receive a ".htaccess: [...] not allowed here" error.
So it looks like even though no override is allowed by default, the
`.htaccess` file is still being read when `None` is not specified
explicitly.

This is with Apache 2.4.6 on CentOS 7, so perhaps it has been fixed in a
later version, but I am not in a position to easily test that, so
thought I'd mention it here in case it's useful.

If this is expected behaviour then the documentation could be clearer on
this point. It states:

"When this directive is set to None and AllowOverrideList is set to
None, .htaccess files are completely ignored."

So leaving it as the default should surely exhibit the same behaviour as
setting the default explicitly?

Best,
Nigel

[1] https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AllowOverride - Mis-behaving Default

Frank Gingras


On 18/06/17 05:17 PM, Nigel Peck wrote:

>
> Hi,
>
> According to the documentation[1], the default for `AllowOverride` is
> `None`, and when `AllowOverride` is set to `None`, .htaccess files are
> not read at all.
>
> When I set `AllowOverride` to `None` explicitly, I find that is the
> behaviour I see, but when I don't specify it at all, the .htaccess file
> is still read and I receive a ".htaccess: [...] not allowed here" error.
> So it looks like even though no override is allowed by default, the
> `.htaccess` file is still being read when `None` is not specified
> explicitly.
>
> This is with Apache 2.4.6 on CentOS 7, so perhaps it has been fixed in a
> later version, but I am not in a position to easily test that, so
> thought I'd mention it here in case it's useful.
>
> If this is expected behaviour then the documentation could be clearer on
> this point. It states:
>
> "When this directive is set to None and AllowOverrideList is set to
> None, .htaccess files are completely ignored."
>
> So leaving it as the default should surely exhibit the same behaviour as
> setting the default explicitly?
>
> Best,
> Nigel
>
> [1] https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

You probably have another <Directory> block that has AllowOverride set,
for the / path or another. Inspect all files shipped by CentOS, and the
ones you modified.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AllowOverride - Mis-behaving Default

Nigel Peck
On 18/06/2017 16:38, Frank wrote:
> You probably have another <Directory> block that has AllowOverride set,
> for the / path or another. Inspect all files shipped by CentOS, and the
> ones you modified.

I only have one config file, since I merged all of the others in to it
that I needed. I already double checked that there are no other
AllowOverride directives that could be affecting this. The only others
are in other virtual hosts in separate directories not above the one I
tested. Also setting `AllowOverride None` on the root directory block
prevents it, which it wouldn't if another directive were causing the
problem.

Thanks
Nigel

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AllowOverride - Mis-behaving Default

Frank Gingras


On 18/06/17 06:16 PM, Nigel Peck wrote:

> On 18/06/2017 16:38, Frank wrote:
>> You probably have another <Directory> block that has AllowOverride
>> set, for the / path or another. Inspect all files shipped by CentOS,
>> and the ones you modified.
>
> I only have one config file, since I merged all of the others in to it
> that I needed. I already double checked that there are no other
> AllowOverride directives that could be affecting this. The only others
> are in other virtual hosts in separate directories not above the one I
> tested. Also setting `AllowOverride None` on the root directory block
> prevents it, which it wouldn't if another directive were causing the
> problem.
>
> Thanks
> Nigel
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

As per http://httpd.apache.org/docs/current/mod/core.html#allowoverride :

Default: AllowOverride None (2.3.9 and later), AllowOverride All (2.3.8
and earlier)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AllowOverride - Mis-behaving Default

Nigel Peck

On 18/06/2017 18:01, Frank wrote:
 > As per http://httpd.apache.org/docs/current/mod/core.html#allowoverride :
 >
 > Default:    AllowOverride None (2.3.9 and later), AllowOverride All
(2.3.8 and earlier)

I'm not sure what your point is. I am aware of that and it supports the
point I am making in my email. The default should be none, which also
means .htaccess files should not be read at all, but if the default is
used then .htaccess files are read. It has to be stated explicitly to
prevent .htaccess files being read.

Nigel

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AllowOverride - Mis-behaving Default

Frank Gingras


On 18/06/17 08:22 PM, Nigel Peck wrote:

>
> On 18/06/2017 18:01, Frank wrote:
>> As per http://httpd.apache.org/docs/current/mod/core.html#allowoverride :
>>
>> Default:    AllowOverride None (2.3.9 and later), AllowOverride All
> (2.3.8 and earlier)
>
> I'm not sure what your point is. I am aware of that and it supports the
> point I am making in my email. The default should be none, which also
> means .htaccess files should not be read at all, but if the default is
> used then .htaccess files are read. It has to be stated explicitly to
> prevent .htaccess files being read.
>
> Nigel
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

Nigel,

The point is that the default value changed for 2.3 (and hence 2.4), and
you seem to be missing it, yes.

As for why that change was made, the development mailing list might be
better suited for that thread.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AllowOverride - Mis-behaving Default

Nigel Peck
> On 18 Jun 2017, at 23:41, Frank <[hidden email]> wrote:
>
> Nigel,
>
> The point is that the default value changed for 2.3 (and hence 2.4), and you seem to be missing it, yes.
>
> As for why that change was made, the development mailing list might be better suited for that thread.

No Frank, I'm not missing the point at all. I'm afraid that's you. I will explain again. Please read carefully and understand this time before replying.

The default for AllowOverride is None on my version. If I make use of that default setting, and do not specify any value for AllowOverride in any way at all, it does not behave in the same way as if I specify None explicitly.

Specifically, .htaccess files are looked for and opened if present, which is not the specified behaviour for a setting of None. The behaviour is correct if I specify None explicitly (.htaccess files are not processed in any way), if I allow None to be specified implicitly, by not setting AllowOverride at all, and using the default, then they are processed, albeit creating an error that the settings are not allowed. With a setting of None, this should not happen, since they should not be opened at all.

Nigel

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...