You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Jerry Walsh <je...@nitroweb.net> on 2001/02/05 15:34:18 UTC

mod_negotiation/7193: MultiViews causes script dump?

>Number:         7193
>Category:       mod_negotiation
>Synopsis:       MultiViews causes script dump?
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Feb 05 06:40:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     jerry@nitroweb.net
>Release:        1.3.14
>Organization:
apache
>Environment:
FreeBSD 4.2-STABLE FreeBSD 4.2-STABLE #0: Tue Jan 16 10:49:04 GMT 2001     
FreeBSD 3.5-STABLE FreeBSD 3.5-STABLE #0: Wed Jan 24 10:15:12 GMT 2001
>Description:
Hello,

I did not test this alot
but i managed to reproduce it on the above envoirnments

Basically
my cgi-bin's are all in:

/www/CGI-BIN

For this directory if i use:

<Directory /www/CGI-BIN/>
Options MultiViews
</Directory>

Restart apache and then run a cgi script
lets say

http://search.apache.org/index.cgi

The script runs - no problems
but if i do:

http://search.apache.org/index

I get the source code of the cgi
(NOTE i am using search.apache.org as an EXAMPLE - it does NOT work here)

If i removed MultiViews from the options this fixes the problem.

I tried this with the CGI-BIN inside and outside the webroot - both displayed the cgi source code when MultiViews was enabled.


Can you tell me what's going on here?
is this a known bug?
>How-To-Repeat:

# mkdir -p /www/WWW/your-host.com

Put the following in your config file:
<Directory "/www/WWW/">
Options MultiViews
</Directory>

<VirtualHost Your-host.com>
 ScriptAlias /cgi-bin/ "/www/WWW/cgi-bin/"
 DocumentRoot /www/WWW/your-host.com/
 ServerName your-host.com
</VirtualHost>

put a cgi script in the cgi-bin for your-host.com

check to see if it runs
if it does
then access the cgi script WITHOUT its extension.
>Fix:

Remove MultiViews from your options?
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]