If one option is permitted, 'All' is permitted. Impact: The user can use CGI/SSI/Symlink from any place with own .htaccess. Example: httpd.conf: <Directory "/home/*/public_html"> AllowOverride Options=Indexes Options Indexes </Directory> /home/user/public_html/.htaccess: Options +All source code: httpd-2.2.6/server/core.c line 1461: if (!(cmd->override_opts & opt) && opt != OPT_NONE) { When opt contains two or more bits, override_opts passes any bits of opt. In 2.2.6 cases, OPT_ALL is defined as "(OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)".
Created attachment 21899 [details] Proposed patch Fix 2 issues 1) AllowOverride Options allows overriding all the options just as in 2.0 2) Options All in .htacess is allowed only if all it's bits are allowed to be overriden, fix this bug
Thanks for the patch. I only committed the second part of your patch as r652885 (http://svn.apache.org/viewvc?rev=652885&view=rev) that fixes your bug. For the first part of your patch I think the current behaviour is as designed. In the case you disagree please continue this discussion on dev@httpd.apache.org.
(In reply to comment #2) > Thanks for the patch. I only committed the second part of your patch as r652885 > (http://svn.apache.org/viewvc?rev=652885&view=rev) that fixes your bug. For the > first part of your patch I think the current behaviour is as designed. In the > case you disagree please continue this discussion on dev@httpd.apache.org. Ok I will recheck it and continue ther later.
Proposed for backport to 2.2.x as r660284 (http://svn.apache.org/viewvc?rev=660284&view=rev).
Fix was backported; PR wasn't closed.