MultiViews should not be enabled by default

inuya5ha · November 27, 2024, 9:55pm

SYSTEM INFORMATION
OS type and version	Almalinux 8
Webmin version	2.202
Virtualmin version	7.20.2

Can someone explain what’s the benefit of enabling MultiViews by default for new Virtual Servers? Besides badly messing with the RewriteEngine directives.

I’ve been hours trying to find out why my RewriteRules failed miserably on Virtualmin, and neither GPT nor Gemini ever suggested to check this new MultiViews setting. By some kind of miracle, Copilot found the answer and provided the suggestion to disable such setting that interferes with the URL rewrite engine.

Please be aware that enabling by default every single new feature might not always be such a great idea. BTW, the option I did require to be enabled, short_open_tags in PHP, was of course disabled by default. I

Joe · November 28, 2024, 4:49am

I don’t know why it’s allowed by default. There are many things that made sense a decade or two ago, particularly with PHP applications, when a lot of these decisions were made, that maybe don’t make sense now. Nobody ever complained, so it’s never been revisited.

@Jamie @Ilia are y’all aware of any negative to removing MultiViews from the default Server Template AllowOverride options for Apache virtual hosts? Code is here: Code search results · GitHub

Joe · November 28, 2024, 4:52am

But, also AllowOverride only means that .htaccess can override that option. It does not mean it is enabled, by default. And, I’m not aware of any security implications to allowing users to override it.

If you’re having trouble with it, it means you enabled it in .htaccess, which isn’t something Virtualmin can really be blamed for.

Jamie · November 28, 2024, 5:35am

I don’t see any harm in removing MultiViews from AllowOverride. But as you said, we only allow it, we don’t actually enable it.

inuya5ha · November 28, 2024, 1:12pm

However, my rewrite rules that worked just fine on the previous host failed until I added:

<IfModule mod_negotiation.c>
    Options -MultiViews
</IfModule>

in my .htaccess, meaning that by default, any new virtual server created by Virtualmin seems to have MultiViews active.

At first the /etc/httpd/conf/httpd.conf file is not the problem, because it was created with:

<Directory /home/sample.com/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
    Require all granted
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
<Directory /home/sample.com/cgi-bin>
    Require all granted
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>

Clearly MultiViews is not activated there.

Is there another .conf file besides the one found at Web Configuration > Configure Website > Edit Directives that is applied to every virtual server?