Bug 469451 - Replace LocationMatch with Directory directive so all aliases are covered
Summary: Replace LocationMatch with Directory directive so all aliases are covered
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: phpMyAdmin
Version: el4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-31 22:58 UTC by Nils Breunese
Modified: 2008-12-03 01:23 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-29 00:30:23 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Nils Breunese 2008-10-31 22:58:47 UTC 
Description of problem:

The phpMyAdmin package provides /etc/httpd/conf.d/phpMyAdmin.conf which sets up two global aliases, /phpMyAdmin and /phpmyadmin, that both point to /usr/share/phpMyAdmin.

The config file also supplies a section that you can uncomment to make mod_security not block on requests with SQL. This section uses <LocationMatch "/phpMyAdmin/(.+)">. This means that when using /phpMyAdmin the mod_security customization is applied, but not when using the lower-case alias /phpmyadmin. This could be fixed by expanding the regex to also apply to phpmyadmin, but I believe the better fix is to just use <Directory /usr/share/phpMyAdmin> instead of the LocationMatch.

The Apache documentation also recommends using the Directory directive: "Use <Location> to apply directives to content that lives outside the filesystem. For content that lives in the filesystem, use <Directory> and <Files>."


Version-Release number of selected component (if applicable): 2.11.9.3-1


Patch:


 #<IfModule mod_security.c>
-#    <LocationMatch "/phpMyAdmin/(.+)">
+#    <Directory /usr/share/phpMyAdmin>
 #       SecRuleInheritance Off
-#    </LocationMatch>
+#    </Directory>
 #</IfModule>
Comment 1 Robert Scheck 2008-10-31 23:37:03 UTC 
Nils, thanks for your report. I know, what the mod_security part is for, I
was the guy wanting to have it there long long time ago. I will take care of
this with the next phpMyAdmin update which surely will come...
Comment 2 Fedora Update System 2008-11-29 00:26:19 UTC 
phpMyAdmin-3.1.0-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.1.0-1.fc10
Comment 3 Fedora Update System 2008-11-29 00:26:22 UTC 
phpMyAdmin-3.1.0-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.1.0-1.fc9
Comment 4 Fedora Update System 2008-11-29 00:26:29 UTC 
phpMyAdmin-3.1.0-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.1.0-1.fc8
Comment 5 Robert Scheck 2008-11-29 00:30:23 UTC 
856 (phpMyAdmin): Build on target fedora-4-epel succeeded.
857 (phpMyAdmin): Build on target fedora-5-epel succeeded.

Package: phpMyAdmin-3.1.0-1.fc11 Tag: dist-f11 Status: complete Built by: robert
Package: phpMyAdmin-3.1.0-1.fc10 Tag: dist-f10-updates-candidate Status: complete Built by: robert
Package: phpMyAdmin-3.1.0-1.fc9 Tag: dist-f9-updates-candidate Status: complete Built by: robert
Package: phpMyAdmin-3.1.0-1.fc8 Tag: dist-f8-updates-candidate Status: complete Built by: robert
Comment 6 Fedora Update System 2008-12-03 01:12:13 UTC 
phpMyAdmin-3.1.0-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-12-03 01:18:38 UTC 
phpMyAdmin-3.1.0-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-12-03 01:23:31 UTC 
phpMyAdmin-3.1.0-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.