Development Discussion Board

[Oleg]

Support thread

The .htaccess file in forum root was not packaged in versions 3.0.6 and 3.0.5 at least, and is packaged in 3.0.7. It so happens that some hosts apparently prohibit Order/Allow/Deny in .htaccess, and therefore uploading the stock .htaccess makes all pages generate 500 internal server error.

This is nasty especially for users updating from previous version, when simply uploading new files renders their board unusable.

Apparently the updater checks for the presence of this file, so that simply removing it stops the update. A workaround is to upload an empty .htaccess, which for a typical user is not trivial to figure out.

I don't have a clear solution for this issue. There is definitely value in prohibiting access to config.php and common.php. Perhaps including an alternate .htaccess for hosts where the default one is unacceptable is the best approach, along with instructions how to replace the default .htaccess with the alternate one.

Edit: fixed support thread link, thanks narqelion

[ameeck]

IMHO, I really find it objectively stupid to not allow Allow/Deny declarations in .htaccess, is phpBB supposed to support every weird hosting setup?

[Highway of Life]

Indeed, it makes sense to check for the presence of the .htaccess file because it’s there for added security, the solution might be to inform the user that the .htaccess file does not exist before re-placing it.

[code reader]

IMHO, I really find it objectively stupid to not allow Allow/Deny declarations in .htaccess, is phpBB supposed to support every weird hosting setup?

forgive my french, but this is a back-assword attitude.
if there is a certain hosting solution that happilly works with 3.0.6, and with no change to the host breaks with 3.0.7 there is no other way to look at it except severe regression in phpbb 3.0.7

sometimes regressions are planned and accepted, such as a decision to require minimum version of php, drop support of some backend rdbms system etc.
these kind of things are done in major version (e.g. switch from 3.0 to 3.1), are announce beforehand and discussed, with the understanding that convincing enough arguments can cause to revert this decision.

jumping something like this in minor version, with no announcement and no discussion is simply a bug.
now bugs happen and are not the end of the world, but pretending that this is anything other than purely and simply *phpbb bug* does not make sense.

[Highway of Life]

3.0.7 contains new content in the .htaccess, so it needs to update that file... That is why it's in the update package, that's not a bug.

[code reader]

3.0.7 contains new content in the .htaccess, so it needs to update that file... That is why it's in the update package, that's not a bug.

if it breaks existing installs it *is* a bug, even if you (or anyone else) refuse to accept it.
saying something like "we don't have to support any back-assword server configuration" just doesn't fly: we *don't* have to support "any back-assword server configuration". however, if 3.0.6 support it and we have users on it, and then 3.0.7 breaks it *we own the problem*.

if we did not support such server in the first place it would have been perfectly fine, but having 3.0.7 break perfecly good 3.0.6 installations is a regression bug - no other way around it.

[Oleg]

I was mistaken in claiming that htaccess was not packaged in earlier versions, but people's boards break regardless so the problem does not go away, I just don't know what causes it precisely.

[ToonArmy]

saying something like "we don't have to support any back-assword server configuration" just doesn't fly: we *don't* have to support "any back-assword server configuration". however, if 3.0.6 support it and we have users on it, and then 3.0.7 breaks it *we own the problem*.

if we did not support such server in the first place it would have been perfectly fine, but having 3.0.7 break perfecly good 3.0.6 installations is a regression bug - no other way around it.

It's a bit of an odd one, the default phpBB initial upload won't work on the server. They'll have to delete the .htaccess, now obviously phpBB will work for good. Until we update the .htaccess and they used the changed files package or they use the auto updater, my suggested solution would be to ignore the .htaccess in the auto updater if the file doesn't exist to begin with. Does that sound okay?

[pixel]

even if .htaccess was not packaged in pre-3.0.7 phpbb3, most portal mods do provide a .htacces file change in order to change the default page and set allow/deny.

[Oleg]

my suggested solution would be to ignore the .htaccess in the auto updater if the file doesn't exist to begin with. Does that sound okay?

I imagine a better solution would tell the user that they are missing .htaccess, and give them an option to install new .htaccess or ignore it, along with instructions telling them to delete .htaccess if they choose to install it and their forum breaks. I don't know how much harder this is to implement though.