You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2010/09/01 17:12:43 UTC
DO NOT REPLY [Bug 49859] New: url with additional filepath generates
bad environment variables.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49859
Summary: url with additional filepath generates bad environment
variables.
Product: Apache httpd-2
Version: 2.2.3
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_mime
AssignedTo: bugs@httpd.apache.org
ReportedBy: ben@redsnapper.net
Using the following:
AddHandler test-file .tst
Action test-file /cgi-bin/set.cgi
And with set.cgi =
#!/bin/bash
echo
echo
echo "$@"
set
with an existing file "test.tst" and the url: "http://host/test.tst"
everything is fine = we see eg PATH_TRANSLATED showing "...test.tst"
BUG is exposed with same environment, but the url
"http://host/test.tst/ghost.html"
The handler sees test.tst and calls set.cgi - however, PATH_TRANSLATED
includes /ghost.html as a part of the path, even though clearly the logic is
wrong.
The url should not trigger the handler - (because the file
..../test.tst/ghost.html does not exist )
but should instead trigger a 404.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49859] url with additional filepath generates bad
environment variables.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49859
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Eric Covener <co...@gmail.com> 2010-09-01 11:21:07 EDT ---
The mapping is due to AcceptPathInfo, and CGI says PATH_INFO should be included
in PATH_TRANSLATED. Followups on users@httpd.apache.org unless there's some
gross misunderstanding, in which casr provide verbatim, complete config and log
entries.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49859] url with additional filepath generates bad
environment variables.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49859
Ben Griffin <be...@redsnapper.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
--- Comment #2 from Ben Griffin <be...@redsnapper.net> 2010-09-01 12:03:17 EDT ---
Eric, thanks. I read up on your comments. I attempted to post a mail as
suggested, but was refused.
"AcceptPathInfo Off" appears to have no effect when using a suffix handler via
AddHandler (the handler in the bug report's case is a bash script calling set)
The documentation says:
http://httpd.apache.org/docs/2.0/mod/core.html#acceptpathinfo
"For example, assume the location /test/ points to a directory that contains
only the single file here.html. Then requests for/test/here.html/more and
/test/nothere.html/more both collect /more as PATH_INFO."
"Therefore a request with trailing pathname information after the true filename
such as /test/here.html/more in the above example will return a 404 NOT FOUND
error."
However, this is not what I find.
Here is the entire apache config file. (note that this is based on a Mac, but
the original bug was found on Debian Linux)
apache.conf follows (dso.conf is the default set of modules)
#================================================
Include /etc/apache2/dso.conf
ServerRoot /Library/WebServer
Listen 80
User _www
Group _www
<Directory /Library/WebServer/CGI-Executables/>
Options +ExecCGI
</Directory>
AddHandler cgi-script .cgi
AddType application/test .tst
ScriptAlias /cgi/ /Library/WebServer/CGI-Executables/
Action application/test /cgi/set.cgi
<VirtualHost *:80>
AcceptPathInfo Off
Options -Indexes +FollowSymLinks
DocumentRoot Documents/public
</VirtualHost>
#================================================
set.cgi follows
#================================================
#!/bin/bash
echo Status: 200 OK
echo Content-Type: text/plain
echo
set
#================================================
Directory /Library/WebServer/Documents/public contains one file, called
"here.tst" which is a text file containing the word "test"
Results from the above setting. (taken from the environment as listed by
set.cgi above)
NOTE THAT AcceptPathInfo IS OFF
http://127.0.0.1/here.tst/more
PATH_INFO=/here.tst/more
PATH_TRANSLATED=/Library/WebServer/Documents/public/here.tst/more
What I expect is a 404 - after all, AcceptPathInfo is OFF.
If this is not a bug, how do I ensure that PATH_TRANSLATED always points to a
valid file, especially when using AddHandler
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49859] url with additional filepath generates bad
environment variables.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49859
Ben Griffin <be...@redsnapper.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Platform|Other |All
OS/Version|Linux |All
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org