Bug 469451 - Replace LocationMatch with Directory directive so all aliases are covered
Replace LocationMatch with Directory directive so all aliases are covered
Status: CLOSED NEXTRELEASE
Product: Fedora EPEL
Classification: Fedora
Component: phpMyAdmin (Show other bugs)
el4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Robert Scheck
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-31 18:58 EDT by Nils Breunese
Modified: 2008-12-02 20:23 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-28 19:30:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nils Breunese 2008-10-31 18:58:47 EDT
Description of problem:

The phpMyAdmin package provides /etc/httpd/conf.d/phpMyAdmin.conf which sets up two global aliases, /phpMyAdmin and /phpmyadmin, that both point to /usr/share/phpMyAdmin.

The config file also supplies a section that you can uncomment to make mod_security not block on requests with SQL. This section uses <LocationMatch "/phpMyAdmin/(.+)">. This means that when using /phpMyAdmin the mod_security customization is applied, but not when using the lower-case alias /phpmyadmin. This could be fixed by expanding the regex to also apply to phpmyadmin, but I believe the better fix is to just use <Directory /usr/share/phpMyAdmin> instead of the LocationMatch.

The Apache documentation also recommends using the Directory directive: "Use <Location> to apply directives to content that lives outside the filesystem. For content that lives in the filesystem, use <Directory> and <Files>."


Version-Release number of selected component (if applicable): 2.11.9.3-1


Patch:


 #<IfModule mod_security.c>
-#    <LocationMatch "/phpMyAdmin/(.+)">
+#    <Directory /usr/share/phpMyAdmin>
 #       SecRuleInheritance Off
-#    </LocationMatch>
+#    </Directory>
 #</IfModule>
Comment 1 Robert Scheck 2008-10-31 19:37:03 EDT
Nils, thanks for your report. I know, what the mod_security part is for, I
was the guy wanting to have it there long long time ago. I will take care of
this with the next phpMyAdmin update which surely will come...
Comment 2 Fedora Update System 2008-11-28 19:26:19 EST
phpMyAdmin-3.1.0-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.1.0-1.fc10
Comment 3 Fedora Update System 2008-11-28 19:26:22 EST
phpMyAdmin-3.1.0-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.1.0-1.fc9
Comment 4 Fedora Update System 2008-11-28 19:26:29 EST
phpMyAdmin-3.1.0-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.1.0-1.fc8
Comment 5 Robert Scheck 2008-11-28 19:30:23 EST
856 (phpMyAdmin): Build on target fedora-4-epel succeeded.
857 (phpMyAdmin): Build on target fedora-5-epel succeeded.

Package: phpMyAdmin-3.1.0-1.fc11 Tag: dist-f11 Status: complete Built by: robert
Package: phpMyAdmin-3.1.0-1.fc10 Tag: dist-f10-updates-candidate Status: complete Built by: robert
Package: phpMyAdmin-3.1.0-1.fc9 Tag: dist-f9-updates-candidate Status: complete Built by: robert
Package: phpMyAdmin-3.1.0-1.fc8 Tag: dist-f8-updates-candidate Status: complete Built by: robert
Comment 6 Fedora Update System 2008-12-02 20:12:13 EST
phpMyAdmin-3.1.0-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-12-02 20:18:38 EST
phpMyAdmin-3.1.0-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-12-02 20:23:31 EST
phpMyAdmin-3.1.0-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.