You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/07/06 15:33:05 UTC
DO NOT REPLY [Bug 51482] New: Issue with rewrite and mod_autoindex
https://issues.apache.org/bugzilla/show_bug.cgi?id=51482
Bug #: 51482
Summary: Issue with rewrite and mod_autoindex
Product: Apache httpd-2
Version: 2.2.9
Platform: PC
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P2
Component: Core
AssignedTo: bugs@httpd.apache.org
ReportedBy: jeanpralo@gmail.com
Classification: Unclassified
Hi there,
I've just experienced some pretty critical issues with a rewriting rule
allowing a user to list your local filesystem where the apache2 is running.
Create this simple vhost :
<VirtualHost *:80>
ServerName test.com
UseCanonicalName On
DocumentRoot /RDC/test.com
<Directory /RDC/test.com>
Options -Indexes +FollowSymLinks
AllowOverride None
</Directory>
RewriteEngine On
RewriteRule ^(.*) $1 [last]
RewriteLog /tmp/test.log
RewriteLogLevel 3
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"
t=%T" time
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" t=%T" f5_forwarder
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" is-forwarder
CustomLog /data/test.log time env=!is-forwarder
CustomLog /data/test.log f5_forwarder env=is-forwarder
ServerSignature Off
</VirtualHost>
Once this is done try to access http://test.com/etc/ . The mod_autoindex and
mod_dir must be loaded, and the DirectoryIndex must contain at least
index.html.
You should be able to list the content of the directory if the user who is
running has the legitimate right.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 51482] Issue with rewrite and mod_autoindex
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51482
juanito <je...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jeanpralo@gmail.com
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 51482] Issue with rewrite and mod_autoindex
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51482
--- Comment #1 from Eric Covener <co...@gmail.com> 2011-07-06 15:01:52 UTC ---
If you allow /etc/ to be served and configure it for directory listings, and
you substitute /etc/ in a rewriterule, it will be served. In most
configurations with normal <Directory /> restrictions, this is not a concern.
RewriteRule says:
file-system path
Designates the location on the file-system of the resource to be delivered to
the client.
URL-path
A DocumentRoot-relative path to the resource to be served. Note that
mod_rewrite tries to guess whether you have specified a file-system path or a
URL-path by checking to see if the first segment of the path exists at the root
of the file-system. For example, if you specify a Substitution string of
/www/file.html, then this will be treated as a URL-path unless a directory
named www exists at the root or your file-system, in which case it will be
treated as a file-system path. If you wish other URL-mapping directives (such
as Alias) to be applied to the resulting URL-path, use the [PT] flag as
described below.
This is unlikely to be changed in 2.2, but there is has been dicussion in 2.4
to split RewriteRule into two directives so it's always only mapping URI->URI
or URI->Filesystem.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 51482] Issue with rewrite and mod_autoindex
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51482
juanito <je...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |LATER
--- Comment #2 from juanito <je...@gmail.com> 2011-07-06 21:22:30 UTC ---
Yep the thing is that I didn't pay enough attention when setting up those
servers. Hopefully logs didn't show any bad behaviors. Lucky me !
But this is really a strange/dangerous behavior to me. On debian the <Directory
/> is not set to Options -Indexes by default. I imagine there are lot of issues
of that sort out there. There should be at least more information on that point
! And it should be a another method such as RewriteRuleForFs, so that dumb
people like me won't make mistake :)
Ok this RewriteRule is kind of ...... How could I explain it without hurting my
developpers feeling, can't find.
Anyway thanks for the explanation I was trying to understand what was going on
with gdb,you saved me a couple of hours :)
I guess the case can be closed then ?!
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org