You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by seb hould <ap...@gmail.com> on 2005/03/09 14:35:45 UTC
[users@httpd] smbfs mounted DocumentRoot
Our webserver is on a RedHat9 IBM e-series. We serve all files from a
smbfs mounted DocumentRoot. Now we just realized that whenever we
appended a "%5C" to any of our URI we could actually see the source
code.
For example "www.somewhere.com/index.php%5C" would let you see the
index.php file's source code. No need to tell you we we're panicking.
In IE which we mostly use for tests, you have to explicitely enter
the code but in Firefox, as soon as you end the URI in a backslash it
interprets it as "%5C". So basically we found it by doing a typo in
Firefox. For the moment I transfered all the files to the webserver
which has an ext2 filesystem and everything works fine but am
wondering if there's anything I could do in the httpd.conf file to
keep on using that setup. We tried denying files ending with a
backslash or "%5c", did'nt work. We also tried using RedirectMatch or
rewrite but it seems no regex works.
Now the only link I can make out of this problem is that smb is a
"windows type" protocol and so is the backslash. But why is it that
when the DocumentRoot is on a Linux based filesystem it appends the
backslash to the file name while on an smbfs it shows the code?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] smbfs mounted DocumentRoot
Posted by Joshua Slive <js...@gmail.com>.
On Wed, 9 Mar 2005 08:35:45 -0500, seb hould <ap...@gmail.com> wrote:
> Our webserver is on a RedHat9 IBM e-series. We serve all files from a
> smbfs mounted DocumentRoot. Now we just realized that whenever we
> appended a "%5C" to any of our URI we could actually see the source
> code.
> For example "www.somewhere.com/index.php%5C" would let you see the
> index.php file's source code. No need to tell you we we're panicking.
> In IE which we mostly use for tests, you have to explicitely enter
> the code but in Firefox, as soon as you end the URI in a backslash it
> interprets it as "%5C". So basically we found it by doing a typo in
> Firefox. For the moment I transfered all the files to the webserver
> which has an ext2 filesystem and everything works fine but am
> wondering if there's anything I could do in the httpd.conf file to
> keep on using that setup. We tried denying files ending with a
> backslash or "%5c", did'nt work. We also tried using RedirectMatch or
> rewrite but it seems no regex works.
> Now the only link I can make out of this problem is that smb is a
> "windows type" protocol and so is the backslash. But why is it that
> when the DocumentRoot is on a Linux based filesystem it appends the
> backslash to the file name while on an smbfs it shows the code?
You could probably use something like
<FilesMatch \.php.+$>
Order allow,deny
Deny from all
</FilesMatch>
(or something similar with <LocationMatch>) as long as you don't have
any .phpfoo extensions.
But you seem to have identified a significant problem with using smbfs
in combination with apache, and I wouldn't be confident using that
unless I was sure there weren't any other similar problems. I would
start by contacting the smbfs developers and asking them about these
types of issues. When run under windows, apache is aware about all
the funky ways that you can access the same files under different
names. If smbfs is extending all those onto unix, then it could
create serious problems, because apache has no way of knowing about
it.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org