You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/01/06 10:13:38 UTC
[Bug 55957] New: environment lost when processing child directories'
.htaccess
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
Bug ID: 55957
Summary: environment lost when processing child directories'
.htaccess
Product: Apache httpd-2
Version: 2.4.6
Hardware: PC
OS: Linux
Status: NEW
Severity: regression
Priority: P2
Component: Core
Assignee: bugs@httpd.apache.org
Reporter: jidanni@jidanni.org
We can see the listing of
$ w3m -dump http://radioscanningtw.jidanni.org/images/radioscanningtw/
Index of /images/radioscanningtw
[ICO] Name Last modified Size Description
-----------------------------------------------------------------
[PARENTDIR] Parent Directory -
[IMG] radioscanningtw.png 2006-09-09 14:50 1.1K
[TXT] step.html 2009-04-15 20:40 4.1K
-----------------------------------------------------------------
Apache/2.4.6 (Debian) Server at radioscanningtw.jidanni.org Port 80
But it is gone from the parent,
$ w3m -dump -no-proxy http://radioscanningtw.jidanni.org/images/
Index of /images
[ICO] Name Last modified Size Description
--------------------------------------------------------------
[PARENTDIR] Parent Directory -
[ ] README 2012-03-28 11:36 203
--------------------------------------------------------------
Apache/2.4.6 (Debian) Server at radioscanningtw.jidanni.org Port 80
In addition error.log gets
[Mon Jan 06 15:29:15.433307 2014] [access_compat:error] [pid 2798]
[client 127.0.0.1:46481] AH01797: client denied by server
configuration:
/home/jidanni/radioscanningtw.jidanni.org/images/radioscanningtw/
Examining the server,
$ tree -a images/
images/
|-- README
|-- radioscanningtw
| |-- .htaccess
| |-- radioscanningtw.png
| `-- step.html
We find that if we edit .htaccess,
$ cat images/radioscanningtw/.htaccess
SetEnvIf host radioscanningtw\.jidanni\.org let_me_in
Order Deny,Allow
Deny from all
Allow from env=let_me_in
AddDefaultCharset utf-8
$ ed images/radioscanningtw/.htaccess
134
4
Allow from env=let_me_in
s/e.*/all
Allow from all
w
124
q
$ w3m -dump http://radioscanningtw.jidanni.org/images/
Index of /images
[ICO] Name Last modified Size Description
--------------------------------------------------------------
[PARENTDIR] Parent Directory -
[ ] README 2012-03-28 11:36 203
[DIR] radioscanningtw/ 2014-01-06 15:12 -
--------------------------------------------------------------
Apache/2.4.6 (Debian) Server at radioscanningtw.jidanni.org Port 80
The problem goes away.
The problem is:
1) The effects of .htaccess files in child directories on the parent's
listing is undocumented. And more importantly, it has a bug:
"SetEnvIf host" loses track of the host name in this secondary query
stage, even though it is all part of the same HTTP request!
# a2query -c
other-vhosts-access-log (enabled by maintainer script)
php5-cgi (enabled by site administrator)
serve-cgi-bin (enabled by maintainer script)
jidanni (enabled by site administrator)
localized-error-pages (enabled by maintainer script)
security (enabled by maintainer script)
charset (enabled by maintainer script)
phpmyadmin (enabled by maintainer script)
apache2-doc (enabled by maintainer script)
# cat /etc/apache2/conf-enabled/jidanni.conf |grep -v ^\#
UseCanonicalName Off
VirtualDocumentRoot /home/jidanni/%0
<Directory "/home/jidanni/*">
Options Indexes MultiViews FollowSymLinks
Require all granted
</Directory>
<Directory /*>
AllowOverride All
</Directory>
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] some operators defective when processing child
directories' .htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
--- Comment #8 from Dan Jacobson <ji...@jidanni.org> ---
No there is no working equivalent for 2.2.9.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] some operators defective when processing child
directories' .htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
Dan Jacobson <ji...@jidanni.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution|--- |FIXED
--- Comment #10 from Dan Jacobson <ji...@jidanni.org> ---
OK. Opened Bug 55990
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] environment lost when processing child directories'
.htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
--- Comment #3 from Dan Jacobson <ji...@jidanni.org> ---
Thank you. Apparently the only choices are revealing too little, due to
the bug, or using IndexOptions +showforbidden and thus revealing too
much.
Please inform me what else is left that I can test on in 2.2 and 2.4,
now that 'host' has been destroyed.
Anyways, the whole idea of environment, is inheriting, at least in
shells, I recall.
If you arbitrarily wipe it out on one of your internal steps, there is
no way the user can recreate it.
This also raises *ONE BIG SECURITY ISSUE*, say the user was depending on
blocking a certain Mr. Snowden, based on the environment. Well that
works... but not in this special certain case!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] environment lost when processing child directories'
.htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
--- Comment #4 from Eric Covener <co...@gmail.com> ---
> This also raises *ONE BIG SECURITY ISSUE*, say the user was depending on
> blocking a certain Mr. Snowden, based on the environment. Well that
> works... but not in this special certain case!
IMO the configuration can be said to have a small security issue.
The resources do not require authentication, directory listings are turned on,
and the configuration to block a user based on the environment was not tested.
The result is that the directory is visible in the parent, but not the
filenames or their contents.
I think we have a documentation issue, but no bug. Discussion of alternate
configs to get the desired behavior is best taken to e.g. users@ stackexechange
-- setting the envvar with mod_rewrite is one portable possibility since it
runs in a different hook, but I haven't analyzed it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] environment lost when processing child directories'
.htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
--- Comment #5 from Dan Jacobson <ji...@jidanni.org> ---
Just revealing a filename IS a security issue.
Imagine the (say Iran) authorities were able to figure out the
maintainer of the ho-hum 'abj' site was in fact also involved in
radioscanning and, gasp, even transgender! Else why were there the mere
mention of those directory names appearing in his shared /images folder!
https://www.mediawiki.org/wiki/Manual:Wiki_family#Ultimate_minimalist_solution
It's either that or severing his directory tree dead in the middle.
As far as stack* I'm sorry but I have been banned for life there, so I
still need somebody to tell a workaround. It doesn't make sense to me
that HTTP_HOST or any other variable I would set would survive, but not 'host'.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] environment lost when processing child directories'
.htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
--- Comment #2 from Eric Covener <co...@gmail.com> ---
mod_setenvif only runs on the main request, and subrequests (used by mod_dir to
scan subdirs) do not inherit the environment. Changing either of these to
accomodate this scenario is not so appetizing.
I guess mod_setenvif and mod_dir doc could include those hints.
You didn't mention IndexOptions +showforbidden. Maybe that's enough for your
scenario, but it will show the subdir for users w/o access too.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] environment lost when processing child directories'
.htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
--- Comment #6 from Eric Covener <co...@gmail.com> ---
> As far as stack* I'm sorry but I have been banned for life there, so I
> still need somebody to tell a workaround. It doesn't make sense to me
> that HTTP_HOST or any other variable I would set would survive, but not
> 'host'.
I don't think it's unique to HTTP_HOST, which you aren't even changing. The
output is an environment variable and they don't survive, and mod_setenvif is
not re-run.
But, bugzilla is for bugs. I suggest users@ mailing list or IRC for this kind
of discussion and won't continue it here.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] some operators defective when processing child
directories' .htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
Dan Jacobson <ji...@jidanni.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|environment lost when |some operators defective
|processing child |when processing child
|directories' .htaccess |directories' .htaccess
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] environment lost when processing child directories'
.htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
--- Comment #7 from Dan Jacobson <ji...@jidanni.org> ---
I am guessing that the authors were probably trying to be careful to
follow scope rules to not allow variables set in say many parallel
/images/*/.htaccess files to affect each other, but overdid it, leaving
no scope at all for the current file.
-----------
SetEnv only affects Allow from env=!... not env=...
By the way, also highly unexplainable to me is why only one of the
following four work, instead of two:
# while read; do cat ~jidanni/mediawiki/images/radioscanningtw/.htaccess; w3m
-dump http://radioscanningtw.jidanni.org/images |grep radio.*:; echo
----------; done
Order Deny,Allow
Deny from all
Allow from env=!let_me_in
[DIR] radioscanningtw/ 2014-01-07 11:18 -
----------
Order Deny,Allow
Deny from all
Allow from env=let_me_in
----------
SetEnv let_me_in 1
Order Deny,Allow
Deny from all
Allow from env=let_me_in
----------
SetEnv let_me_in 1
Order Deny,Allow
Deny from all
Allow from env=!let_me_in
----------
Browsing the child directly with
d=radioscanningtw.jidanni.org/images/radioscanningtw/; while read; do
cat ~jidanni/$d/.htaccess; w3m -dump http://$d; echo -n ----------;
done
shows the same 3/1 pattern.
Below we observe SetEnvIfExpr is defective when processing the subdir.
+ cat
/home/jidanni/radioscanningtw.jidanni.org/images/radioscanningtw/.htaccess
SetEnvIfExpr true let_me_inX
Order Deny,Allow
Deny from all
Allow from env=!let_me_inX
+ w3m -dump http://radioscanningtw.jidanni.org/images
Index of /images
[ICO] Name Last modified Size Description
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[PARENTDIR] Parent Directory -
[ ] README 2012-03-28 11:36 203
[DIR] radioscanningtw/ 2014-01-07 13:19 -
[DIR] taizhongbus/ 2014-01-06 15:14 -
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Apache/2.4.6 (Debian) Server at radioscanningtw.jidanni.org Port 80
+ w3m -dump http://radioscanningtw.jidanni.org/images/radioscanningtw
Forbidden
You don't have permission to access /images/radioscanningtw on this server.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Apache/2.4.6 (Debian) Server at radioscanningtw.jidanni.org Port 80
=========
==========AH WORKS!===========for both passes!=====
<If "%{HTTP_HOST} !~ /radioscanningtw\.jidanni\.org/i">
SetEnv blockme 1
</If>
Order Deny,Allow
Deny from all
Allow from env=!blockme
=============================
So we see the problem has nothing to do with the environment, but
instead some operators!
SetEnv blockme 1
<If "%{HTTP_HOST} =~ /radioscanningtw\.jidanni\.org/i">
UnSetEnv blockme
</If>
Order Deny,Allow
Deny from all
Allow from env=!blockme
Above also works.
However, the following doesn't. How to explain that?!
<If "%{HTTP_HOST} =~ /radioscanningtw\.jidanni\.org/i">
SetEnv good 1
</If>
Order Deny,Allow
Deny from all
Allow from env=good
OK I have come up with a final working version,
<If "%{HTTP_HOST} !~ /radioscanningtw\.jidanni\.org/i">
Deny from all
</If>
Thank goodness!
Alas, that works only for 2.4. Still working on 2.2.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] environment lost when processing child directories'
.htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
--- Comment #1 from jidanni@jidanni.org ---
s/And more importantly, it has a bug:/And more importantly, 2) it has a bug:/
P.S., A workaround that would also work on Apache 2.2.9 would be welcome, as
Dreamhost won't be updating soon.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] some operators defective when processing child
directories' .htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #9 from Eric Covener <co...@gmail.com> ---
The doc info is addressed in trunk and 2.4, see http://svn.apache.org/r1556102
I'd suggest closing this bug and opening a new simpler, shorter enhancement
request if you need something very specific in 2.4.
But since there are 2.4 alternatives to setenvif (<if>) that is already run for
subrequests, it's unlikely that anything without a patch provided would be
likely to be worked on.
One thing we can't do in bug reports is address how to get your personal
configuration working or. They have to be opened for single distinct issues.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55957] environment lost when processing child directories'
.htaccess
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55957
jidanni@jidanni.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|regression |normal
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org