Bug 469451

Summary: Replace LocationMatch with Directory directive so all aliases are covered
Product: [Fedora] Fedora EPEL Reporter: Nils Breunese <nils>
Component: phpMyAdminAssignee: Robert Scheck <redhat-bugzilla>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: el4CC: mmcgrath
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-29 00:30:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nils Breunese 2008-10-31 22:58:47 UTC 
Description of problem:

The phpMyAdmin package provides /etc/httpd/conf.d/phpMyAdmin.conf which sets up two global aliases, /phpMyAdmin and /phpmyadmin, that both point to /usr/share/phpMyAdmin.

The config file also supplies a section that you can uncomment to make mod_security not block on requests with SQL. This section uses <LocationMatch "/phpMyAdmin/(.+)">. This means that when using /phpMyAdmin the mod_security customization is applied, but not when using the lower-case alias /phpmyadmin. This could be fixed by expanding the regex to also apply to phpmyadmin, but I believe the better fix is to just use <Directory /usr/share/phpMyAdmin> instead of the LocationMatch.

The Apache documentation also recommends using the Directory directive: "Use <Location> to apply directives to content that lives outside the filesystem. For content that lives in the filesystem, use <Directory> and <Files>."


Version-Release number of selected component (if applicable): 2.11.9.3-1


Patch:


 #<IfModule mod_security.c>
-#    <LocationMatch "/phpMyAdmin/(.+)">
+#    <Directory /usr/share/phpMyAdmin>
 #       SecRuleInheritance Off
-#    </LocationMatch>
+#    </Directory>
 #</IfModule>
Comment 1 Robert Scheck 2008-10-31 23:37:03 UTC 
Nils, thanks for your report. I know, what the mod_security part is for, I
was the guy wanting to have it there long long time ago. I will take care of
this with the next phpMyAdmin update which surely will come...
Comment 2 Fedora Update System 2008-11-29 00:26:19 UTC 
phpMyAdmin-3.1.0-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.1.0-1.fc10
Comment 3 Fedora Update System 2008-11-29 00:26:22 UTC 
phpMyAdmin-3.1.0-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.1.0-1.fc9
Comment 4 Fedora Update System 2008-11-29 00:26:29 UTC 
phpMyAdmin-3.1.0-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.1.0-1.fc8
Comment 5 Robert Scheck 2008-11-29 00:30:23 UTC 
856 (phpMyAdmin): Build on target fedora-4-epel succeeded.
857 (phpMyAdmin): Build on target fedora-5-epel succeeded.

Package: phpMyAdmin-3.1.0-1.fc11 Tag: dist-f11 Status: complete Built by: robert
Package: phpMyAdmin-3.1.0-1.fc10 Tag: dist-f10-updates-candidate Status: complete Built by: robert
Package: phpMyAdmin-3.1.0-1.fc9 Tag: dist-f9-updates-candidate Status: complete Built by: robert
Package: phpMyAdmin-3.1.0-1.fc8 Tag: dist-f8-updates-candidate Status: complete Built by: robert
Comment 6 Fedora Update System 2008-12-03 01:12:13 UTC 
phpMyAdmin-3.1.0-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-12-03 01:18:38 UTC 
phpMyAdmin-3.1.0-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-12-03 01:23:31 UTC 
phpMyAdmin-3.1.0-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.