I updated to 3.0.5.4p4 today and suddenly started running in to all sorts of issues. One issue is that I am suddenly no longer able to add FCGIWrapper directives to a particular site's apache directive section via the control panel. I have a multi-tenant PHP application with a codebase that is shared across multiple sites/clients. Here are the details: The application is installed in /var/www/sharedapp/ When a client of mine needs access to the app, I add an Apache directive that adds an Alias to that shared app folder, and configure FCGIWrapper to use that particular client's PHP. This has worked perfectly fine up until 3.0.5.4p3 As of 3.0.5.4.p4, if I try to add this configuration to a client, I get "Apache directive blocked by security settings". I cannot find anything in the documentation about this. I did try setting the web security setting to Medium, but that doesn't seem to have helped. Here is an example directive that I add to client configs (under site->options->apache directives): Code: # enable sharedapp for this domain. Ensure the "web" part of the path matches the Linux User this will be running under! # be sure to add this to open_basedir as well or you'll get "no input file specified" errors Alias /sharedapp "/var/www/sharedapp" <Directory /var/www/sharedapp> <FilesMatch "\.php$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php Options +ExecCGI AllowOverride All Require all granted </Directory> The error I get is: How can I disable this new security feature?
Of course, the moment I posted this I was able to find the solution. I guess I didn't dig deep enough into the docs. I found a diff from one of the latest updates and read through the code - and then I realized it was a setting in the security_settings.ini file. By adjusting the apache_directives_scan_enabled setting (or preferably creating an apache_directives.blacklist.custom with the settings you need) you can resolve this issue.
