Language Change Maintainers Checked PR-4.4-dev Pending

User tests: Successful: Unsuccessful:

avatar MacJoom
MacJoom
11 Mar 2024

Since FollowSymlinks is disabled for security reasons in a growing number of apache hosting setups this PR add the more strict SymLinksIfOwnerMatch - but disables both options by default

Pull Request for Issue # .

Summary of Changes

in htaccess.txt (Template for .htacess)
#Options +FollowSymlinks
#Options +SymLinksIfOwnerMatch

Testing Instructions

use the changed htaccess.txt as .htaccess

Actual result BEFORE applying this Pull Request

Internal Server error on some hosting environments
Error: /httpdocs/.htaccess: Option FollowSymlinks not allowed here

Expected result AFTER applying this Pull Request

Works

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar MacJoom MacJoom - open - 11 Mar 2024
avatar MacJoom MacJoom - change - 11 Mar 2024
Status New Pending
avatar MacJoom MacJoom - change - 11 Mar 2024
The description was changed
avatar MacJoom MacJoom - edited - 11 Mar 2024
avatar brianteeman
brianteeman - comment - 11 Mar 2024

Couple of things
Quite a few things

  1. Whenever we have made a change to the htaccess.txt file we have accompanied it with a post installation message that is displayed for upgraded

  2. Just changing this line is not enough in the context of the file. The description/instructions beginning on L10 will also need updating.

  3. There is a performance hit with this change so please consider this alternative https://httpd.apache.org/docs/2.4/misc/perf-tuning.html#symlinks

  4. Is this really something for a patch release?

avatar MacJoom
MacJoom - comment - 11 Mar 2024

Couple of things Quite a few things

  1. Just changing this line is not enough in the context of the file. The description/instructions beginning on L10 will also need updating.

Just for point 2 at the moment - your are correct that this text next changes too. And i even noticed that +FollowSymLinks is not needed for mod_rewrite - most of my websites run without it - with SEF URL's enabled. So we could even discuss the whole Symlinks options. They are needed however for the newly introduced option to run joomla from outside of the web root. This must be mentioned too.

avatar sandewt
sandewt - comment - 12 Mar 2024

Note: In case of a change of an htaccess file, a post installation message must also be added to the code.

avatar MacJoom
MacJoom - comment - 12 Mar 2024

Just a explanation why i did this PR: I had two incidents over the last two weeks when this problem was involved. One joomla user did a fresh install of joomla 4.4 on a new hosting environment and copied htaccess.txt to .htacess as a routine job and then copied other things to web space. when he tried to access the page again he got a internal server error... he called me in desperation. he should have checked the error_log. but without further knowledge about the symlink issue that would not have helped. the other guy moved a running joomla installation to a new host and immediately had the internal server error.
it always hurts me when people have problems such joomla... especially when we knew (there was a message about this problem in mattermost) about this problem before.

avatar MacJoom
MacJoom - comment - 12 Mar 2024

Note: In case of a change of an htaccess file, a post installation message must also be added to the code.

That's point 1 on Brians list. We will do that.

avatar MacJoom
MacJoom - comment - 12 Mar 2024
  1. There is a performance hit with this change so please consider this alternative https://httpd.apache.org/docs/2.4/misc/perf-tuning.html#symlinks

Maybe we don't need the option at all for normal use - collecting further information

  1. Is this really something for a patch release?

It's a bug that bothers people on new installations of joomla 4.4

avatar brianteeman
brianteeman - comment - 12 Mar 2024
  1. Is this really something for a patch release?
    It's a bug that bothers people on new installations of joomla 4.4

My searches suggest that some very large hosts have been doing this for over ten years so its not "urgent"

avatar MacJoom MacJoom - change - 13 Mar 2024
Labels Added: PR-4.4-dev
avatar joomla-cms-bot joomla-cms-bot - change - 13 Mar 2024
Category Administration Language & Strings
avatar brianteeman
brianteeman - comment - 14 Mar 2024

definitely not in favour of the latest updates to this PR as you now disable both options by default which is not correct.

avatar MacJoom MacJoom - change - 15 Mar 2024
Labels Added: Language Change Maintainers Checked
avatar MacJoom MacJoom - change - 19 Mar 2024
The description was changed
avatar MacJoom MacJoom - edited - 19 Mar 2024
avatar MacJoom MacJoom - change - 19 Mar 2024
Title
[4.4] Update htaccess.txt - replace FollowSymlinks with SymLinksIfOwnerMatch
[4.4] Update htaccess.txt - add SymLinksIfOwnerMatch, disable both options FollowSymlinks & SymLinksIfOwnerMatch by default
avatar MacJoom MacJoom - edited - 19 Mar 2024
avatar exlemor
exlemor - comment - 21 Apr 2024

As for myself, just tested this and my hosting platform does not throw an error message, so of course important to make sure whatever change is made will not break/negatively affect sites that already work the Options +SymLinksIfOwnerMatch parameters.

Add a Comment

Login with GitHub to post a comment