AuthType configured with no corresponding authorization directives

[jeking]

I don't use the download folder much but have a need to now and can't. When accessing download/test.zip via the browser, I get a 500 server error. The log file reveals the error in the subject, AuthType configured with no corresponding authorization directives

A little research points to the first few lines of the htaccess file in the download folder:
AuthType Basic
AuthName "No access"
AuthUserFile .htnopasswd
AuthGroupFile /dev/null
#Require valid-user

A cPanel thread suggested adding Require valid-user before AuthType Basic. But that results in a prompt to login. If I comment out AuthType Basic, I can access the file but I'd rather not bypass the security Zen Cart builds in. Seems there is something else going on, but I'm not sure what.

[jeking]

A possible solution. The server is running Apache 2.4. According to Apache (http://httpd.apache.org/docs/2.4/upgrading.html) Order, Allow, Deny should be replaced.

My new htaccess file looks like this:

Code:

# deny *everything*
<FilesMatch ".*">
	Require all denied
</FilesMatch>

# but now allow just *certain* necessary files:
<FilesMatch "(?i).*\.(zip|gzip|pdf|mp3|swf|wma|wmv|wav|epub|ogg|webm|m4v|m4a)$">
	Require all granted
</FilesMatch>

instead of

Code:

# deny *everything*
<FilesMatch ".*">
  Order Allow,Deny
  Deny from all
</FilesMatch>

# but now allow just *certain* necessary files:
<FilesMatch "(?i).*\.(zip|gzip|pdf|mp3|swf|wma|wmv|wav|epub|ogg|webm|m4v|m4a)$">
  Order Allow,Deny
  Allow from all
</FilesMatch>

it seems to be working but I will test more in the morning. Any input or feedback is welcome.

[DrByte]

For Apache 2.4 this should work: https://github.com/zencart/zencart/b...load/.htaccess

[mc12345678]

And to confirm, you want anyone to have the ability to access the download folder "publicly" (not the pub folder) and not just those that have purchased something? Which further means that anyone that has the path to the "product" will be able to access it regardless of their business on the site?

[jeking]

For Apache 2.4 this should work: https://github.com/zencart/zencart/b...load/.htaccess

Thanks DrByte. We will try this out.

@mc12345678 Yes, for now. They are not products they put in this folder. Just informational pdf's. They really should be in the pub folder and I've suggested we move them. They also have pdf's in the images folder, so.

[Feznizzle]

Hi,

I recently encountered this issue and, thanks to this thread, was able to get the downloads folder working again.

My question is: How pervasive is this issue? Do I need to track down every htaccess and make alterations?

If that is the case, can you identify the specific bad code (no longer applicable) passage *and* identify the good code portion?

The reason I ask is that each htaccess allows or denies specific things. I cannot simply replace the content of every htaccess with the new code.

I'm hoping that there is a single controlling passage in the old code that can be replaced with new code, leaving everything else intact?

Here is the Old Code:

Code:

#
# @copyright Copyright 2003-2011 Zen Cart Development Team
# @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
# @version $Id: .htaccess 18695 2011-05-04 05:24:19Z drbyte $
#

AuthType Basic
AuthName "No access"
AuthUserFile .htnopasswd
AuthGroupFile /dev/null
#Require valid-user


###############################
#
# This is used with Apache WebServers
#
# The following blocks direct HTTP requests to all filetypes in this directory recursively, except certain approved exceptions
# It also prevents the ability of any scripts to run. No type of script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.
# Will also prevent people from seeing what is in the dir. and any sub-directories
#
# For this to work, you must include either 'All' or at least: 'Limit' and 'Indexes' parameters to the AllowOverride configuration in your apache/conf/httpd.conf file.
# Additionally, if you want the added protection offered by the OPTIONS directive below, you'll need to add 'Options' to the AllowOverride list, if 'All' is not specified. 
# Example:
#<Directory "/usr/local/apache/htdocs">
#  AllowOverride Limit Options Indexes
#</Directory>
###############################

# deny *everything*
<FilesMatch ".*">
  Order Allow,Deny
  Deny from all
</FilesMatch>

# but now allow just *certain* necessary files:
<FilesMatch ".*\.(zip|ZIP|gzip|pdf|PDF|mp3|MP3|swf|SWF|wma|WMA|wmv|WMV|wav|epub)$">
  Order Allow,Deny
  Allow from all
</FilesMatch>

<IfModule mod_headers.c>
  <FilesMatch ".*\.(zip|ZIP|pdf|PDF|mp3|MP3|swf|SWF|wma|WMA|wmv|WMV|wav|epub)$">
    # tell all downloads to automatically be treated as "save as" instead of launching in an application directly
    # ALERT: ForceType requires Apache2 or later. If using older version of Apache, it will need mod_mime installed. Or just comment out the ForceType line below
    # (to disable, just comment the next 2 lines by adding a '#' at the beginning of each):
    # DISABLED ForceType application/octet-stream
    # DISABLED Header set Content-Disposition attachment
  </FilesMatch>
</IfModule>

IndexIgnore */*


## NOTE: If you want even greater security to prevent hackers from running scripts in this folder, uncomment the following line (if your hosting company will allow you to use OPTIONS):
# OPTIONS -Indexes -ExecCGI

Here is the New Code:

Code:

#
# @copyright Copyright 2003-2016 Zen Cart Development Team
# @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
# @version $Id: .htaccess 18695 2011-05-04 05:24:19Z drbyte $
#

AuthType Basic
AuthName "No access"
AuthUserFile .htnopasswd
AuthGroupFile /dev/null
#Require valid-user


###############################
#
# This is used with Apache WebServers
#
# The following blocks direct HTTP requests to all filetypes in this directory recursively, except certain approved exceptions
# It also prevents the ability of any scripts to run. No type of script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.
# Will also prevent people from seeing what is in the dir. and any sub-directories
#
# For this to work, you must include either 'All' or at least: 'Limit' and 'Indexes' parameters to the AllowOverride configuration in your apache/conf/httpd.conf file.
# Additionally, if you want the added protection offered by the OPTIONS directive below, you'll need to add 'Options' to the AllowOverride list, if 'All' is not specified.
# Example:
#<Directory "/usr/local/apache/htdocs">
#  AllowOverride Limit Options Indexes
#</Directory>
###############################

# deny *everything*
<FilesMatch ".*">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Deny from all
  </IfModule>
</FilesMatch>

# but now allow just *certain* necessary files:
<FilesMatch "(?i).*\.(zip|gzip|pdf|mp3|swf|wma|wmv|wav|epub|ogg|webm|m4v|m4a)$">
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Allow from all
  </IfModule>
</FilesMatch>

<IfModule mod_headers.c>
  <FilesMatch "(?i).*\.(zip|pdf|mp3|swf|wma|wmv|wav|epub|ogg|m4v|m4a)$">
    # tell all downloads to automatically be treated as "save as" instead of launching in an application directly
    # ALERT: ForceType requires Apache2 or later. If using older version of Apache, it will need mod_mime installed. Or just comment out the ForceType line below
    # (to disable, just comment the next 2 lines by adding a '#' at the beginning of each):
    # DISABLED ForceType application/octet-stream
    # DISABLED Header set Content-Disposition attachment
  </FilesMatch>
</IfModule>

IndexIgnore */*


## NOTE: If you want even greater security to prevent hackers from running scripts in this folder, uncomment the following line (if your hosting company will allow you to use OPTIONS):
# OPTIONS -Indexes -ExecCGI

[jeking]

The htaccess files have been changed in 1.5.5e (maybe it was earlier) to incorporate these changes. You could compare your cart with 1.5.5e for possible changes to your site.

[DrByte]

My question is: How pervasive is this issue? Do I need to track down every htaccess and make alterations?

Since your host changed Apache versions and didn't include the backward-compatibility module, the answer to "how pervasive" is 100%.

Two options:
a) get your server administrator to install the mod_access_compat Apache module for 2.2 compatibility.
or
b) update all your .htaccess rules per: https://github.com/zencart/zencart/pull/1081/files


Note: Most people NEVER need to touch the original content of the various supplied .htaccess files ... so, unless you're one who has changed them drastically, most of these changes are very straightforward to make. A dozen files, with the same kinds of changes being made in each.