httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52824] New: Conflicts between AllowOverride and AllowOverrideList (Manual is completely wrong!)
Date Sun, 04 Mar 2012 22:19:55 GMT

             Bug #: 52824
           Summary: Conflicts between AllowOverride and AllowOverrideList
                    (Manual is completely wrong!)
           Product: Apache httpd-2
           Version: 2.4.1
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
    Classification: Unclassified

This is not a duplicate bug of 52823

The confusion comes from the weird relationship between AllowOverride and
AllowOverrideList. Take a look at the example in the manual:



AllowOverride AuthConfig
AllowOverrideList CookieTracking CookieName

In the example above AllowOverride grants permission to the AuthConfig
directive grouping and AllowOverrideList grants permission to only two
directves from the FileInfo directive grouping. All others will cause an
internal server error.


It clearly tells that AuthConfig group as well as CookieTracking and CookieName
are allowed in the .htaccess files.

However, if you put directives of the AuthConfig group, you will get error
messages in the error log and Apache will not parse these directives.

So, this is completely wrong according to the manual. Or, manual is completely

If you trace the source code, the AllowOverrideList maintains a table
(override_list) which is in the core_dir_config structure. All the parameters
of AllowOverrideList are set in this table.

When parsing a .htaccess file, before calling invoke_cmd(), Apache checks
whether cmd->name is in this table. If not, it will go to an error return no
matter whether this cmd's group is allowed in AllowOverride.    

The code is shown as follows:


static const char *invoke_cmd(const command_rec *cmd, cmd_parms *parms,
                              void *mconfig, const char *args)

    /** Have we been provided a list of acceptable directives? */
    if(parms->override_list != NULL)
         if(apr_table_get(parms->override_list, cmd->name) != NULL)
               override_list_ok = 1;

    if ((parms->override & cmd->req_override) == 0 && !override_list_ok)
        if (parms->override & NONFATAL_OVERRIDE) {
            ap_log_perror(APLOG_MARK, APLOG_WARNING, 0, parms->temp_pool,
                          "%s in .htaccess forbidden by AllowOverride",
            return NULL;
        else {
            return apr_pstrcat(parms->pool, cmd->name,
                               " not allowed here", NULL);
    //invoke the corresponding directive function


My test case is to put the following configuration entries into the httpd.conf


#in httpd.conf
#both the Indexes group and AuthDBMGroupFile should be allowed
<Directory />
    AllowOverride Indexes
    AllowOverrideList AuthDBMGroupFile


Then, put a .htaccess file in the DocumentRoot directory with the following


#DirectoryIndex is a directory in the Indexes group according to the manual
DirectoryIndex index.html


Start the httpd server and use browser to access:


You will get the error log message in the error log:

[Sun Mar 04 13:09:27.492655 2012] [core:alert] [pid 24509:tid 140634204722944]
[client] /home/tianyin/apache-2.4.1/htdocs/.htaccess:
DirectoryIndex not allowed here

Thanks a lot!

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message