Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Generated .htaccess in plugins folder breaks all plugins #4499

Closed
oparoz opened this Issue · 17 comments

3 participants

@oparoz

When a new plugin is installed, an .htaccess file is created in the plugins folder with the following content.
<Files "*">
<IfModule mod_access.c>
Deny from all
</IfModule>
<IfModule !mod_access_compat>
<IfModule mod_authz_host.c>
Deny from all
</IfModule>
</IfModule>
<IfModule mod_access_compat>
Deny from all
</IfModule>
</Files>

This configuration completely breaks Piwik for us. Leaving the logs littered with messages like this:
Jan 11 00:55:44.367351 2014 [pid 95149:tid 34394546176 1.2.3.4:59467 AH01797: client denied by server configuration: /public_html/pro/plugins/Login/javascripts/login.js

We're using PHP-FPM 5.4 via FastCGI on Apache 2.4
Files are owned by the user. PHP is run as the user.

Keywords: htaccess, php-fpm

@oparoz

I've just activated the TreemapVisualization plugin and got a different .htaccess, which works.

<Files ~ ".(php|php4|php5|inc|tpl|in|twig)$">
<IfModule mod_access.c>
Deny from all
</IfModule>
<IfModule !mod_access_compat>
<IfModule mod_authz_host.c>
Deny from all
</IfModule>
</IfModule>
<IfModule mod_access_compat>
Deny from all
</IfModule>
</Files>
<Files ~ ".(test.php|gif|ico|jpg|png|svg|js|css|swf)$">
<IfModule mod_access.c>
Allow from all
</IfModule>
<IfModule !mod_access_compat>
<IfModule mod_authz_host.c>
Allow from all
</IfModule>
</IfModule>
<IfModule mod_access_compat>
Allow from all
</IfModule>
Satisfy any
</Files>

@mattab
Owner

Thanks for the report!

I don't think we can easily fix this one, hopefully users experimenting the bug will find this ticket and know to delete the .htaccess causing problems.

@anonymous-piwik-user

We have to do better here. I just installed the Security check plugin and when I did it installed the .htaccess file in the plugins directory that is in the OP.

That broke all the images across the entire thing and I spent an hour trying to figure out:
1. Did the recent update to 2.2.0 break this?
2. Did another developer tweak the apache settings to break this?
3. Are the files messed up somehow?

Installing a plugin shouldn't break the entire rest of the site by installing a hidden file into a fairly random directory.

This is pretty bad.

STR:

  • cd $PIWIK_INSTALL_DIR/plugins
  • cat .htaccess
  • Install the number one plugin in the marketplace, SecurityInfo and then enable it.
  • cat .htaccess
@mattab
Owner

The other day I stumbled upon this commit in phpbb: https://github.com/phpbb/phpbb/pull/2386/files#diff-f72a38c4bec79cc6ded3f8e435d6bd55L11

Maybe we could check out this one, and possibly how other popular open source projects have sorted their .htaccess so it works across all server configurations.

@mattab
Owner

See related/possibly same issue #4941

@mattab
Owner

Replying to mlissner:

We have to do better here. I just installed the Security check plugin and when I did it installed the .htaccess file in the plugins directory that is in the OP.

Are you sure it's the htaccess in OP, or maybe it created the htacess in: #4499 rather than ticket description?

@anonymous-piwik-user

Replying to matt:

Are you sure it's the htaccess in OP, or maybe it created the htacess in: #4499 rather than ticket description?

Yeah, I'm sure. Just checked the server and it still has an .htaccess.bak file with the contents from the OP.

@mattab
Owner

In 6e83e22: Refs #4499 #4941 Adding <IfModule !mod_authz_host.c> around the Satisfy any which may fix the issue.

To test run the following command in the piwik directory:

rm js/.htaccess plugins/.htaccess core/.htaccess libs/.htaccess vendor/.htaccess misc/user/.htaccess

(this deletes all current htaccess files)

Then visit the System check page
(this re-creates the .htaccess files)

Then browse Piwik -> is it working fine?

If not, check your error log and please paste error as a comment in the ticket.
@anonymous-piwik-user

This seems to be related, in Piwik 2.2.3-b6, image files are not displayed (icons, etc) getting 500 errors instead.

Issue caused by .htaccess in plugins directory, section starting with

<Files ~ "\.(test\.php|gif|ico|jpg|png|svg|js|css|htm|html|swf)$">

Once that section is commented icons display correctly.

However, possibly a different issue, still get 500 error (see chrome console) with this file

/libs/jquery/themes/base/images/ui-bg_flat_75_ffffff_40x100.png 500 (Internal Server Error)
@mattab
Owner

Issue caused by .htaccess in plugins directory, section starting with

<Files ~ "\.(test\.php|gif|ico|jpg|png|svg|js|css|htm|html|swf)$">

Once that section is commented icons display correctly.

Because it works on my dev, the demo, and many other servers so I'm trying to understand why not on yours and some others:

When this <Files> element is in your htaccess files, and you access piwik, does it log some errors in your server error log?

what is the error message?

maybe you do understand why this <Files> somehow creates error on your server?

we need more help from you guys to fix the issue properly, cheers :)

@mattab
Owner

In 7183d21: Refs #4499 This should fix the issue with htaccess files being incorrect.
Todo: create Update file to re-create all htaccess files.

@mattab
Owner

In 2e0b98d: Fixes #4499 Adding upgrade file to re-create all htaccess files with the correct values.

@anonymous-piwik-user

Sorry, I did not have mail notification on, just noticed your post.

Unfortunately I don't have access to the full server log, I do have a php error log and there were no errors there.

I don't know what that section of the htaccess causes problems - I didn't do much debugging, the problem could be anywhere in the 2nd half of the htaccess file after <Files> although the commands used are not used in any other application that I used.

I noticed a comment in the new code you posted related to new instruction in Apache 2.4. My server is on Apache 2.2.25 and I normally use Deny / Allow instructions in htaccess.

@mattab
Owner

@samiam can you please try the latest beta version? this issue should be fixed after you upgrade, but we would like to know for sure that it is fixed for you. If not, we will try some more thing. See: http://piwik.org/faq/how-to-update/faq_159/

@anonymous-piwik-user

Hmm, I thought it was but the page is not loading properly and I am getting errors in the browser dev panel

GET http://www.mydomain.com/plugins/Morpheus/images/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday net::ERR_TOO_MANY_REDIRECTS index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday:1
GET http://www.mydomain.com/plugins/Zeitgeist/images/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday net::ERR_TOO_MANY_REDIRECTS index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday:1

Also getting php errors

[21-May-2014 11:58:28 UTC] PHP Fatal error:  Call to undefined method Piwik\SettingsPiwik::rewriteMiscUserPathWithInstanceId() in /home/user/public_html/analytics/plugins/CoreAdminHome/CustomLogo.php on line 150
[21-May-2014 11:58:28 UTC] PHP Fatal error:  Call to undefined method Piwik\SettingsPiwik::rewriteTmpPathWithInstanceId() in /home/user/public_html/analytics/core/Twig.php on line 63
@anonymous-piwik-user

I looked at this as bit more. As far as I can see the update to the latest beta nuked a .htaccess that I had in the Piwik root folder. After replacing this it seems to work fine.

@mattab
Owner

In 01d9dd0: When deleting htaccess files, make sure we only delete those that we may have created.
Thank you @samiam for the report of bug, that's really helpful. We will not over-delete (often important) htaccess of more Piwik users!
refs #4499
Will be available in 2.3.0-rc2

@oparoz oparoz added this to the 2.3.0 - Piwik 2.3.0 milestone
@mattab mattab was assigned by oparoz
@fhemberger fhemberger referenced this issue from a commit
@mattab mattab Refs #4499 This should fix the issue with htaccess files being incorr…
…ect.

Todo: create Update file to re-create all htaccess files.
7183d21
@fhemberger fhemberger referenced this issue from a commit
@mattab mattab When deleting htaccess files, make sure we only delete those that we …
…may have created.

Thank you @samiam for the report of bug, that's really helpful. We will not over-delete (often important) htaccess of more Piwik users!
refs #4499
Will be available in 2.3.0-rc2
01d9dd0
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@mattab mattab Refs #4499 #4941 Adding <IfModule !mod_authz_host.c> around the Satis…
…fy any which may fix the issue.

To test run the following command in the piwik directory:
```
rm js/.htaccess plugins/.htaccess core/.htaccess libs/.htaccess vendor/.htaccess  misc/user/.htaccess
```
(this deletes all current htaccess files)

Then visit the System check page
(this re-creates the .htaccess files)

Then browse Piwik -> is it working fine?

If not, check your error log and please paste error as a comment in the ticket.
6e83e22
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.