Boost-generated .htaccess file in cache dir re-written on CRON run [#1885862]

Hi.

One of the servers I work with uses Andrew File System (AFS), and the following .htaccess directives aren't compatible with AFS (or perhaps it's some other issue beyond my control):

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks

If I comment out the lines, the site/boost works as expected. However these lines are added on each CRON run (at least each manual CRON run).

Any thoughts on how to get around this issue?

Thanks,

Dan

Comment	File	Size	Author
#11	boost.module.patch	476 bytes	john bickar

Comments

Comment #1

Anonymous (not verified) commented 11 January 2013 at 07:09

Admittedly I know nothing about AFS, but the directive are apache core directives setHandler requires <em>AllowOverride Fileinfo</em> to be set up on the apache server

http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

Options require <em>options</em>

http://httpd.apache.org/docs/2.2/mod/directive-dict.html#Override

and if Options +FollwsymLinks is not working, then clean URL's would not work and therefore boost would not either, However if clean urls are working then poassibly what is happening if that there is something like

<Directory "/cache_folder">
AllowOverride none
</DIrectory>

in play. You can quite easily hack the module by doing a search through the files with any decent text editor or searching program (I use grep) and remove the lines from the output but it's not advised in any way, the code is there to stop file/ command execution as anything other than outputting html as text to avoid the scenario where for example if your server had server side includes active for html files, then a cached file with

in the comments could execute a file on your system. So that would be the danger if you decide to remove those lines from boost.

Comment #2

webdrips commented 11 January 2013 at 08:09

Thanks for getting back to me so quickly on a support issue no less!

After a bit more digging,

Options None
Options +FollowSymLinks

Are the lines that need to be commented out. (Have the same issue in sites/default/files/.htaccess).

The primary .htaccess is pretty standard except for the Boost mods and RewriteBase. I greped the entire docroot for this Drupal install and didn't find any instance of AllowOverride. Oh and clean URLs works just fine for this site.

AFS has an extra layer of permissions, so I think we're safe, but I'll point out your warning to the IT folks.

I will go ahead and comment out the lines as you suggest.

Again thanks for the quick response.

Comment #3

Anonymous (not verified) commented 11 January 2013 at 08:18

I do not think it is AFS, I think it is your main server config because if you can enable mod_rewrite then symlinks are possible but in the server config you must have something like AllowOverride FileInfo and not AllowOverrride All.

set_handler is good (very) and it looks like symlinks are enabled by default on the server to enable you to have clean urls, so the options are not really that necessary since the first directive "none" just remove all options, and the second turns on the one required to allow rewrite to work. You should grep your boost files for

Drupal_Security_Do_Not_Remove_See_SA_2006_006

(good that you are using grep) as the easiest method of changing the module, you may have to disable and re-enable to get it to pick up the changes.

Comment #4

webdrips commented 11 January 2013 at 08:29

Yes I was able to un-comment the Drupal_Security_Do_Not_Remove_See_SA_2006_006 in the cache/.htaccess file and un-comment the lines that add the Options in boost.module, and now everything is working again.

Perhaps I can turn this into a support request and ask that boost provide some admin checkboxes for the .htaccess it outputs in the cache directory?

Maybe I can even write a patch to do this, but I'm not sure how useful it would be since I seem to be the only one needing this.

Thanks again.

Comment #5

Anonymous (not verified) commented 11 January 2013 at 09:20

The only thing is that the 6.x is maintenance release only, it could be done on 7.x but in general it appears that most people have AllowOverride Options set by default on shared hosting and it's not an issue on dedicated hosting (VMS or otherwise) as they have complete control, I think in the last 6 months that there have only been two comments about this and one of those was not related, if BGM instructs me, then I would put it into the 7.x module but like quite a few things there's limited resources and time for features that only 1 out of a thousand would need.

It was however good that you were able to diagnoses that it was cron regenerating and used tools like grep to solve the issue, makes support a lot easier. I'd still be worried out the possibility of server being set up with Options Includes by default as though shtml is not fashionable it creates a great big exploitable hole if comments are not filtered correctly by core and the resultant files in the cache. Same with set_handler and some sites being set up to server everything through mod_php, bad idea but some people do it and we have to cover those scenarios.

Comment #6

john bickar commented 18 January 2013 at 21:39

So boost_cache_delete() calls boost_htaccess_cache_dir_put(), which checks for the existence and contents of cache/.htaccess. If the .htaccess file doesn't exist, or its contents aren't the same, boost_htaccess_cache_dir_put() replaces cache/.htaccess with the output of boost_htaccess_cache_dir_generate().

I have only seen this issue intermittently (same shared hosting environment as @webdrips) - I can cause it to occur when I click "Clear all boost cached data" in the UI at admin/settings/performance/boost, but cannot cause it to occur when running drush boost-cache-clear-all or drush cron, for that matter.

I also am not seeing it occur on regular cron runs. @webdrips, it makes me wonder if your Boost config is set up somehow to clear the entire Boost cache on cron runs?

(Also, I can confirm that AFS is not the issue, it is indeed the Apache configuration of this particular web server.)

Comment #7

flying dutchman commented 1 March 2013 at 20:25

Hi all,

I'm having the same issue, namely that my .htacces in the folder "/cache/[%domain]/" gets replaced on every cron run, thereby generating the 500 server error. This is because I have to comment the lines:

Options None
Options +FollowSymLinks

How do I make sure that my .htaccess files don't get recreated everytime, or that those lines are *not* created, or commented or so?

Thank you for your help.

EDIT: Well, I now edited the boost.module file in the boost module to recreate the .htaccess file with those lines commented (searched for "options"). Now disabling and re-enabling and fingers crossed that this is going to work :) Well, that did not work... Anyone suggestions?

Comment #8

Anonymous (not verified) commented 1 March 2013 at 19:55

Version:	6.x-1.21	» 7.x-1.0-beta2
Component:	Miscellaneous	» Apache integration

Have you tried the setting at the bottom of the page admin/config/system/boost/htaccess to enable SymLinksIfOwnerMatch instead of FollowSymLinks ?

Philip

Comment #9

flying dutchman commented 1 March 2013 at 20:29

I don't see that option?

The problem is that i'm on a shared hosting, and the hosting company doesn't allow

Options None
Options +FollowSymLinks

which means that I have to comment them everytime. But the boost module automatically regenerates the .htaccess files at a cron run :(

Comment #10

Anonymous (not verified) commented 1 March 2013 at 20:32

Can you use clean URL's ? if you can then SymLinksifOwnerMatch should work.

You have to download the dev version of boost possibly, (I wrote that section but don't know if it's been put through to stable even though it is).

Comment #11

john bickar commented 1 March 2013 at 20:35

Status	File	Size
new	boost.module.patch	476 bytes

Yes I was able to un-comment the Drupal_Security_Do_Not_Remove_See_SA_2006_006 in the cache/.htaccess file and un-comment the lines that add the Options in boost.module, and now everything is working again.

@flying dutchman, Here's the patch file that does that (thanks @webdrips), although it's for D6.

Comment #12

Anonymous (not verified) commented 1 March 2013 at 20:50

I understand entirely about some shared hosting and Options not being permitted, but if mod rewrite (clean urls) works then somewhere in the server configuration SymLinks of some description are enabled which is why the configuration was put into boost, #1806158-3: Adding the "expire" module as recommended/dependencies

Commenting out any section of the module should be only a last resort as changes are going to be overwritten in the next release.

Comment #13

flying dutchman commented 1 March 2013 at 21:15

Thank you!

The patch actually does the same as I manually did, namely comment (in a different way, via // instead of #) the options in the boost.module file. I will try again, might be something wrong with the php push of the new file. I still have to set up cygwin on my pc, that's why I do it manually ;)

@Philip: thank you for your help, you are absolutely right. I will try the dev release. ~~Can I just overwrite the boost folder or do I need to disable the boost module first?~~ Sorry for the noob question, found that I can better leave it enabled :)

Okay, now I updated and "probably" the Options +SymLinksIfOwnerMatch worked, but my shared hosting also does not allow
Options None, so this should still manually be patched...

Update: Also the Options +SymLinksIfOwnerMatch is not allowed on my shared host. Still the clear URLs do work...

Boost-generated .htaccess file in cache dir re-written on CRON run