Bug 1577584 - production server down: "No comments are allowed here"
Summary: production server down: "No comments are allowed here"
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd
Version: 26
Hardware: All
OS: All
unspecified
urgent
Target Milestone: ---
Assignee: Luboš Uhliarik
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-13 09:28 UTC by customercare
Modified: 2021-03-02 09:43 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-14 09:23:04 UTC
Type: Bug


Attachments (Terms of Use)

Description customercare 2018-05-13 09:28:48 UTC
Description of problem:

Since the update, serveral Websites are down with this error message:

".htaccess: No comments are allowed here"

due to this kind of lines in the .htaccess:

### Hijackenden Proxys sperren ###
order deny,allow
deny from 64.72.116.208 #Proxy-tylerschnaidt.com  <===
deny from 38.117.64.101 #Proxy-parspamchal.com    <=== these two
### Ende Hijackenden Proxys sperren ###

Version-Release number of selected component (if applicable):


2018-05-12T22:01:37Z INFO Upgraded: httpd-filesystem-2.4.33-4.fc26.noarch
2018-05-12T22:01:37Z INFO Upgraded: httpd-tools-2.4.33-4.fc26.x86_64
2018-05-12T22:01:37Z INFO Upgraded: httpd-2.4.33-4.fc26.x86_64
2018-05-12T22:01:37Z INFO Upgraded: mod_ssl-1:2.4.33-4.fc26.x86_64


Actual results:

an error message & 500er error message


Expected results:

old behavior, before 2.4.33-4. because :

this change came unexpected, as there is no document handling comments about "when and how they are allowed" at httpd.apache.org that i could find:

https://httpd.apache.org/docs/2.4/howto/htaccess.html ( does not reference it too )


( i could only find how to comment in apache c-module code :) )

Additional info:

Comment 1 Joe Orton 2018-05-14 09:23:04 UTC
deny from 38.117.64.101 #Proxy-parspamchal.com    <=== these two

Yes, configurations like this were never safe because comments within lines are not stripped.  They are now treated as errors within Allow/Deny because of the potential for security issues.

Comment 7 GSwanson 2021-02-25 09:52:16 UTC Comment hidden (spam)
Comment 8 Pandfuldell 2021-03-02 09:43:18 UTC Comment hidden (spam)

Note You need to log in before you can comment on or make changes to this bug.