From 5eab2f4864c28ab945f92800c3294e968dd01428 Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Mon, 3 Jul 2017 11:09:11 -0700
Subject: Bug 1373295 - Encoded slashes in url allow misleading text on
 unstyled 404 pages due to AllowEncodedSlashes

---
 Bugzilla/ModPerl.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'Bugzilla/ModPerl.pm')

diff --git a/Bugzilla/ModPerl.pm b/Bugzilla/ModPerl.pm
index 42048a5c5..7c367ed2e 100644
--- a/Bugzilla/ModPerl.pm
+++ b/Bugzilla/ModPerl.pm
@@ -73,6 +73,14 @@ __DATA__
 # so we need to srand() both of them.)
 PerlChildInitHandler "sub { Bugzilla::RNG::srand(); srand(); }"
 
+# It is important to specify ErrorDocuments outside of all directories.
+# These used to be in .htaccess, but then things like "AllowEncodedSlashes no"
+# mean that urls containing %2f are unstyled.
+ErrorDocument 401 /errors/401.html
+ErrorDocument 403 /errors/403.html
+ErrorDocument 404 /errors/404.html
+ErrorDocument 500 /errors/500.html
+
 <Directory "[% cgi_path %]">
     AddHandler perl-script .cgi
     # No need to PerlModule these because they're already defined in mod_perl.pl
-- 
cgit v1.2.3-24-g4f1b