by Background
----------
In the course of installing the FrontPage Server Extensions on Apache
1.2.6 on Digital Unix 4.0 I discovered that the Extensions like to use
'Options None' in various .htaccess files they use. To increase
security on our server though, we do not allow Options to be overridden
in .htaccess files. When Apache 1.2.6 tries to access a file in a
directory with an .htaccess file containing 'Options None' it disallows
the request. Allowing users to override Options was undesirable and not
being able to come up with any satisfying workarounds I modified the
Apache 1.2.6 source to allow 'Options None' to be honored even when not
allowed by various <Directory> configuration directives in access.conf.
Modifications
-------------
The patch below attempts to do nothing but reset the Options to None
when an 'Options None' line is encountered. Normally an Options line is
completely ignored if Options overrides are not allowed. This caused a
problem though because I needed to read the Options before deciding
whether or not to allow an override to occur. I believe I've maintained
the integrity of the server though because if Options overrides are NOT
allowed and the .htaccess file contains any Options line except for
'Options None' it rolls back any changes that were made while parsing
the Options directive and disallows the request. If Options overrides
are allowed then normal processing occurs. If Options overrides are
allowed and an 'Options None' line is found then normal processing also
occurs and Options are set to None.
Feedback/Suggestions
--------------------
I'm not sure how useful this is to the majority of Apache users but I
believe this is probably something most sites with the FrontPage-patched
Apache servers will be interested in if they understand the implications
of allowing users to override Options settings in .htaccess files. If
others have come up with other workarounds I'd be happy to hear of
them! Since this is my first experience with hacking on the Apache
source I'd also be happy to receive any comments/suggestions regarding
the patch itself.
Now for a typical disclaimer: I'm in NO way responsible for anything
this patch may do to your web-server, your company, or your customers
blah blah blah.
Jeff Long
ACS User Services
University of Kansas
Patch
(you should be able to just 'patch < patchfile' this, but copy
http_config.c before you do this)
-----
*** http_config.c Thu Apr 9 11:16:59 1998
--- http_config.c.new Thu Apr 9 11:13:00 1998
***************
*** 478,485 ****
char *w, *w2, *w3;
const char *errmsg;
! if ((parms->override & cmd->req_override) == 0)
! return pstrcat (parms->pool, cmd->name, " not allowed here",
NULL);
parms->info = cmd->cmd_data;
parms->cmd = cmd;
--- 478,515 ----
char *w, *w2, *w3;
const char *errmsg;
! if ((parms->override & cmd->req_override) == 0) {
! if ((cmd->req_override & OR_OPTIONS) == OR_OPTIONS) {
! const char *retval;
! allow_options_t old_opts;
! void *old_info;
! const command_rec *old_cmd;
!
! old_opts = ((core_dir_config *)mconfig)->opts;
! old_info = parms->info;
! old_cmd = parms->cmd;
! parms->info = cmd->cmd_data;
! parms->cmd = cmd;
! retval = (*cmd->func) (parms, mconfig, args);
! if (retval == NULL) {
! if (((core_dir_config *)mconfig)->opts == OPT_NONE) {
! return retval;
! }
! else {
! ((core_dir_config *)mconfig)->opts = old_opts;
! parms->info = old_info;
! parms->cmd = old_cmd;
! return pstrcat (parms->pool, cmd->name, " None only
allowed here", NULL);
! }
! }
! else {
! return retval;
! }
! }
! else {
! return pstrcat (parms->pool, cmd->name, " not allowed here",
NULL);
! }
! }
parms->info = cmd->cmd_data;
parms->cmd = cmd;