You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Steve Sobel <ss...@home.com> on 2001/12/18 17:13:45 UTC

general/9181: apache serves up files instead of 404 error when a directory name is requested that matches a file with a supported module extension

>Number:         9181
>Category:       general
>Synopsis:       apache serves up files instead of 404 error when a directory name is requested that matches a file with a supported module extension
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Dec 18 08:20:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     ssobel@home.com
>Release:        1.3.22
>Organization:
apache
>Environment:
Linux hydrox 2.2.19 #2 Fri Apr 27 03:52:49 CDT 2001 i686 unknown
>Description:
Apache serves up a webpage instead of a 404 error when the directory in which the nonexistent file is being requested matches the filename of a module-supported file extension.  For example:

If PHP is installed, or, in the case I found the bug, RACE (but PHP experiences the same problem, which is how I determined it to probably be an Apache bug):

If, in the root directory of the website, there is a file called somepage.php, then the URL

http://www.someserver.com/somepage/thisfiledoesntexist

Serves up somepage.ace instead of giving a 404 error.  As a result, the browser views somepage.ace, but improperly since the path the browser is viewing is different from the actual path of the file.  Either way, however, the file should not be served up at all - a 404 error should be given.
>How-To-Repeat:
http://dev.riverwatcher.com/nematologists/index.ace -- proper.
http://dev.riverwatcher.com/nematologists/index/nonexistentfile -- improper.
http://dev.riverwatcher.com/nematologists/blahblah.htm -- htm file exists
http://dev.riverwatcher.com/nematologists/blahblah/nonexistentfile -- bug doesn't occur.
>Fix:
Apache probably shouldn't serve these pages up... :-)
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]

Re: general/9181: apache serves up files instead of 404 error when a directory name is requested that matches a file with a supported module extension

Posted by "William A. Rowe, Jr." <wr...@covalent.net>.

More on Marc's comments to you...

it's up to a script to look at PATH_INFO and return a 404 not found
error if that PATH_INFO doesn't exist.  This has been a server feature
for years.  Marc was talking about /somepage/doesnotexist v.s.
/somepage.php/doesnotexist.  You can get rid of the former by disabling
Multiviews.  The later still works.

2.0.30 introduces the AcceptPathInfo off directive for CGI's (and php,
and any other handler) that will 404 for you.  In the meantime, it's
up to your script to report 404 if that's what it wants to do with
PATH_INFO.

Bill