https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #3 from Petr Pisar <ppisar(a)redhat.com> ---
Reproducer:
(1) Enable user's ~/public_html directories in httpd configuration (add
"UserDir public_html" directive to /etc/httpd/conf.d/userdir.conf) and enable
httpd_enable_homedirs SELinux boolean.
(2) Add to ~/public_html/.htaccess:
<Perl>
warn "HIT";
</Perl>
(3) Request <
http://localhost/~<USER>/> document.
(4) Check /var/log/httpd/error_log for Perl's "HIT" warning message, e.g.
# tail -n 1 error_log
HIT at /home/test/public_html/.htaccess line 2.
A <USER> can write any arbitrary text to /var/log/httpd/error_log.
Proposed fix:
The <Perl> section should not be supported in .htaccess files at all as is
documented in
<
http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directiv...;.
A fix proposed at <
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169#19>
does that.
This a bug in mod_perl implementation. This not about missing or malfunctioning
"PerlOption -Sections" directive. This is about <Perl> sections being
erroneously processed in <Directory>, <Location>, <Files> section, and
.htaccess files.
--
You are receiving this mail because:
You are on the CC list for the bug.