Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#15031] - Using the supplied htaccess file will crash some servers

?
avatar Paladin
Paladin
31 Mar 2017

Steps to reproduce the issue

  1. create an apache web server instance that does not load the auto index module
  2. rename htaccess.txt to .htaccess

Expected result

Site will work

Actual result

Site crashes with error in log 'IndexIgnore not allowed here'

System information (as much as possible)

The one I encountered it on was CentOS 7.2 with apache 2.4.25 but this is a fundamental error, should crash in any OS, any version of apache, so long as the auto index module is not loaded.

Additional comments

You can't include module configuration directives in an htaccess file if the module isn't enabled. And obviously auto index isn't required to be enabled; I just ran into a case where it wasn't. A server without it is admittedly a rare beast, but not a mythical one.

If it's not a module that you require to be loaded for normal Joomla operation, put it in an IfModule block:

IndexIgnore *

You're probably OK with not doing that for the mod_rewrite directives, enabling mod_rewrite for SEF is probably the only reason to use the included .htaccess file. But mod_autoindex can be disabled by site builders who want to leave unnecessary pieces out of apache to limit exposure (if you're always going to disable the auto index, not enabling it makes sure there's no attack surface there).

avatar Paladin Paladin - open - 31 Mar 2017
avatar joomla-cms-bot joomla-cms-bot - change - 31 Mar 2017
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 31 Mar 2017
avatar brianteeman brianteeman - change - 31 Mar 2017
Status New Closed
Closed_Date 0000-00-00 00:00:00 2017-03-31 16:29:39
Closed_By brianteeman
avatar brianteeman brianteeman - close - 31 Mar 2017
avatar brianteeman
brianteeman - comment - 31 Mar 2017

Closing. Arlren if you create a pr you don't need to create an issue as well the system is clever

avatar Paladin
Paladin - comment - 31 Mar 2017

I created the issue first. I'd forgotten GitHub does all this neat stuff automatically; figured I had to update my repo from upstream, then bring it down to my machine and branch, edit, push up and only then do a PR, so I was going to wait until closer to the end of the day here to do the PR. When I remembered I could just do it all without leaving my browser, and GitHub would manage the rest for me automatically, I did the PR. Next time I'm that slow, I'll at least go back and clean up after myself.

avatar brianteeman
brianteeman - comment - 31 Mar 2017

No worries your not the only one

On 31 Mar 2017 7:26 p.m., "Arlen Walker" notifications@github.com wrote:

I created the issue first. I'd forgotten GitHub does all this neat stuff
automatically; figured I had to update my repo from upstream, then bring it
down to my machine and branch, edit, push up and only then do a PR, so I
was going to wait until closer to the end of the day here to do the PR.
When I remembered I could just do it all without leaving my browser, and
GitHub would manage the rest for me automatically, I did the PR. Next time
I'm that slow, I'll at least go back and clean up after myself.


You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
#15031 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8e5doPU6NqNwE9WNjyqeUJrtEs5Mks5rrUU4gaJpZM4Mv06P
.

Add a Comment

Login with GitHub to post a comment