Bug 1373295 - Encoded slashes in url allow misleading text on unstyled 404 pages...

diff --git a/.htaccess b/.htaccess
index d8cf8f0c08b10fe3ab144a2be8edaa4fc7156b8e..30aff3458ae92816f9a7c184016bfc14178d2216 100644 (file)
--- a/.htaccess
+++ b/.htaccess
@@ -11,11 +11,6 @@
 AddType image/x-icon .ico
 AddType application/font-woff .woff
 
-ErrorDocument 401 /errors/401.html
-ErrorDocument 403 /errors/403.html
-ErrorDocument 404 /errors/404.html
-ErrorDocument 500 /errors/500.html
-
 Redirect permanent /queryhelp.cgi https://bugzilla.mozilla.org/query.cgi?format=advanced&help=1
 Redirect permanent /bug_status.html https://bugzilla.mozilla.org/page.cgi?id=fields.html
 Redirect permanent /bugwritinghelp.html https://bugzilla.mozilla.org/page.cgi?id=bug-writing.html

diff --git a/Bugzilla/ModPerl.pm b/Bugzilla/ModPerl.pm
index 42048a5c5b736ceeecb1bb3286eb0ac3f9506c16..7c367ed2e84ed3c0f2f89071c790aaaf108a08b7 100644 (file)
--- a/Bugzilla/ModPerl.pm
+++ b/Bugzilla/ModPerl.pm
@@ -73,6 +73,14 @@ __DATA__
 # so we need to srand() both of them.)
 PerlChildInitHandler "sub { Bugzilla::RNG::srand(); srand(); }"
 
+# It is important to specify ErrorDocuments outside of all directories.
+# These used to be in .htaccess, but then things like "AllowEncodedSlashes no"
+# mean that urls containing %2f are unstyled.
+ErrorDocument 401 /errors/401.html
+ErrorDocument 403 /errors/403.html
+ErrorDocument 404 /errors/404.html
+ErrorDocument 500 /errors/500.html
+
 <Directory "[% cgi_path %]">
     AddHandler perl-script .cgi
     # No need to PerlModule these because they're already defined in mod_perl.pl