https://bz.apache.org/bugzilla/show_bug.cgi?id=70099
--- Comment #2 from Rich Bowen <[email protected]> --- Testing the before-and-after implied by the doc patch. (Test plan assisted by my robot overlords.) Overview -------- Verified that "AllowOverride Options=X" does NOT prevent .htaccess from implicitly disabling other inherited options when absolute syntax (without +/- prefixes) is used. Setup ----- Configuration added to httpd.conf: <Directory "/usr/local/apache2/htdocs/testdir"> Options Indexes FollowSymLinks ExecCGI AllowOverride Options=Indexes </Directory> A symlink was created to test FollowSymLinks behavior: ln -s /etc/hostname /usr/local/apache2/htdocs/testdir/symlink-test Test Results ------------ Test 1: Baseline (no .htaccess) .htaccess: (none) Result: curl /testdir/ => 200, directory listing displayed curl /testdir/symlink-test => 200, symlink followed PASS — all options active as expected. Test 2: Absolute syntax — implicit disabling .htaccess: Options Indexes Result: curl /testdir/ => 200, directory listing displayed curl /testdir/symlink-test => 403 Forbidden Error log: [Thu Jun 04 11:14:34.151928 2026] [core:error] [pid 565575:tid 565603] [client 192.168.0.53:65418] AH00037: Symbolic link not allowed or link target not accessible: /usr/local/apache2/htdocs/testdir/symlink-test, referer: http://matrim/testdir/ PASS — FollowSymLinks was implicitly disabled even though AllowOverride only permits setting Indexes. This confirms the reported behavior. Test 3: Relative (additive) syntax — no implicit disabling .htaccess: Options +Indexes Result: curl /testdir/ => 200, directory listing displayed curl /testdir/symlink-test => 200, symlink followed PASS — relative syntax merges with inherited set; FollowSymLinks survives. Test 4: Attempting to enable unpermitted option (absolute syntax) .htaccess: Options Indexes ExecCGI Result: curl /testdir/ => 500 Internal Server Error Error log: [Thu Jun 04 11:15:42.626503 2026] [core:alert] [pid 565573:tid 565591] [client 192.168.0.53:65475] /usr/local/apache2/htdocs/testdir/.htaccess: Option ExecCGI not allowed here PASS — restriction correctly blocks enabling unpermitted options. Test 5: Attempting to enable unpermitted option (relative syntax) .htaccess: Options +ExecCGI Result: curl /testdir/ => 500 Internal Server Error Error log: [Thu Jun 04 11:16:06.502862 2026] [core:alert] [pid 565573:tid 565605] [client 192.168.0.53:65496] /usr/local/apache2/htdocs/testdir/.htaccess: Either all Options must start with + or -, or no Option may. PASS — relative syntax also subject to restriction. Summary ------- Test 1: PASS Baseline — all options active Test 2: PASS Absolute syntax implicitly disables inherited options Test 3: PASS Relative syntax does not cause implicit disabling Test 4: PASS Restriction blocks enabling unpermitted options (absolute) Test 5: PASS Restriction blocks enabling unpermitted options (relative) Conclusion ---------- The behavior described in this bug is confirmed. "AllowOverride Options=X" controls which options may be ENABLED by .htaccess, but cannot prevent implicit DISABLING when absolute syntax replaces the entire option set. The existing documentation note is technically correct but confusing. A patch is in progress for trunk that rewrites it as a warning with a concrete example demonstrating this behavior. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
