You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Eric Covener <co...@gmail.com> on 2012/03/16 12:54:37 UTC
printing r->filename for access denied errors
Seems like IRC users are often confused that permission denied errors
include the URI only and not the filesystem path.
(They're convinced it's failing because httpd is looking in the wrong
place for /index.html, or they think we forgot to add a documentroot,
or have no idea where /foo/bar/baz is supposed to be in the
filesystem)
Is there any harm in adding it? This is the rv from a stat in the
directory walk.
Index: server/request.c
===================================================================
--- server/request.c (revision 1299737)
+++ server/request.c (working copy)
@@ -1094,9 +1094,9 @@
}
else if (APR_STATUS_IS_EACCES(rv)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(00035)
- "access to %s denied because search "
- "permissions are missing on a component "
- "of the path", r->uri);
+ "access to %s (filesystem path '%s') denied "
+ "because search permissions are missing on a "
+ "component of the path", r->uri, r->filename);
return r->status = HTTP_FORBIDDEN;
}
else if ((rv != APR_SUCCESS && rv != APR_INCOMPLETE)
@@ -1105,7 +1105,8 @@
* rather than assume not found.
*/
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(00036)
- "access to %s failed", r->uri);
+ "access to %s (filesystem path '%s') failed",
+ r->uri, r->filename);
return r->status = HTTP_FORBIDDEN;
}
--
Eric Covener
covener@gmail.com
Re: printing r->filename for access denied errors
Posted by Graham Leggett <mi...@sharp.fm>.
On 16 Mar 2012, at 1:54 PM, Eric Covener wrote:
> Seems like IRC users are often confused that permission denied errors
> include the URI only and not the filesystem path.
>
> (They're convinced it's failing because httpd is looking in the wrong
> place for /index.html, or they think we forgot to add a documentroot,
> or have no idea where /foo/bar/baz is supposed to be in the
> filesystem)
>
> Is there any harm in adding it? This is the rv from a stat in the
> directory walk.
+1 to clearer, less ambiguous error messages.
Regards,
Graham
--
Re: printing r->filename for access denied errors
Posted by Eric Covener <co...@gmail.com>.
On Fri, Mar 16, 2012 at 9:58 AM, Plüm, Rüdiger, VF-Group
<ru...@vodafone.com> wrote:
>
>
>> -----Original Message-----
>> From: Nick Kew
>> Sent: Freitag, 16. März 2012 14:50
>> To: dev@httpd.apache.org
>> Subject: Re: printing r->filename for access denied errors
>>
>> On Fri, 16 Mar 2012 07:54:37 -0400
>> Eric Covener <co...@gmail.com> wrote:
>>
>> > Seems like IRC users are often confused that permission denied errors
>> > include the URI only and not the filesystem path.
>> >
>> > (They're convinced it's failing because httpd is looking in the wrong
>> > place for /index.html, or they think we forgot to add a documentroot,
>> > or have no idea where /foo/bar/baz is supposed to be in the
>> > filesystem)
>> >
>> > Is there any harm in adding it? This is the rv from a stat in the
>> > directory walk.
>>
>> Yes, there is harm. Exposing filesystem information will bring
>> in a flood of vulnerability reports. Remember the kerfuffle we
>> had about inodes appearing in etags?
>
> The vulenerability report about inodes in etags was because a HTTP client could
> read the inode information (Do not want to rehash the discussion here if this is
> really a vulnerability if a HTTP client retrieves this information).
> In this case the information is kept on the server and only written to the logfile.
> I see no vulnerability here and IMHO "vulnerability" reports on this should be easy to fend off.
>
+1, I believe r->filename is already recorded in similar messages too
(bad perms on opening file vs. bad perms in directory walk)
RE: printing r->filename for access denied errors
Posted by Plüm,
Rüdiger,
VF-Group <ru...@vodafone.com>.
> -----Original Message-----
> From: Nick Kew
> Sent: Freitag, 16. März 2012 14:50
> To: dev@httpd.apache.org
> Subject: Re: printing r->filename for access denied errors
>
> On Fri, 16 Mar 2012 07:54:37 -0400
> Eric Covener <co...@gmail.com> wrote:
>
> > Seems like IRC users are often confused that permission denied errors
> > include the URI only and not the filesystem path.
> >
> > (They're convinced it's failing because httpd is looking in the wrong
> > place for /index.html, or they think we forgot to add a documentroot,
> > or have no idea where /foo/bar/baz is supposed to be in the
> > filesystem)
> >
> > Is there any harm in adding it? This is the rv from a stat in the
> > directory walk.
>
> Yes, there is harm. Exposing filesystem information will bring
> in a flood of vulnerability reports. Remember the kerfuffle we
> had about inodes appearing in etags?
The vulenerability report about inodes in etags was because a HTTP client could
read the inode information (Do not want to rehash the discussion here if this is
really a vulnerability if a HTTP client retrieves this information).
In this case the information is kept on the server and only written to the logfile.
I see no vulnerability here and IMHO "vulnerability" reports on this should be easy to fend off.
Regards
Rüdiger
Re: printing r->filename for access denied errors
Posted by Nick Kew <ni...@webthing.com>.
On Fri, 16 Mar 2012 16:12:56 +0200
Graham Leggett <mi...@sharp.fm> wrote:
> ETags are seen by clients, we're talking about a message in error_log. Since when did writing stuff to the error_log become a vulnerability?
Bah. I was thinking in terms of errors-to-client.
/me goes back to sleep.
--
Nick Kew
Re: printing r->filename for access denied errors
Posted by Graham Leggett <mi...@sharp.fm>.
On 16 Mar 2012, at 3:50 PM, Nick Kew wrote:
> Yes, there is harm. Exposing filesystem information will bring
> in a flood of vulnerability reports. Remember the kerfuffle we
> had about inodes appearing in etags?
ETags are seen by clients, we're talking about a message in error_log. Since when did writing stuff to the error_log become a vulnerability?
Regards,
Graham
--
Re: printing r->filename for access denied errors
Posted by Nick Kew <ni...@webthing.com>.
On Fri, 16 Mar 2012 07:54:37 -0400
Eric Covener <co...@gmail.com> wrote:
> Seems like IRC users are often confused that permission denied errors
> include the URI only and not the filesystem path.
>
> (They're convinced it's failing because httpd is looking in the wrong
> place for /index.html, or they think we forgot to add a documentroot,
> or have no idea where /foo/bar/baz is supposed to be in the
> filesystem)
>
> Is there any harm in adding it? This is the rv from a stat in the
> directory walk.
Yes, there is harm. Exposing filesystem information will bring
in a flood of vulnerability reports. Remember the kerfuffle we
had about inodes appearing in etags?
Maybe exposing it at loglevel debug would be a compromise?
--
Nick Kew
Re: printing r->filename for access denied errors
Posted by Jim Jagielski <ji...@jaguNET.com>.
++1
On Mar 16, 2012, at 7:54 AM, Eric Covener wrote:
> Seems like IRC users are often confused that permission denied errors
> include the URI only and not the filesystem path.
>
> (They're convinced it's failing because httpd is looking in the wrong
> place for /index.html, or they think we forgot to add a documentroot,
> or have no idea where /foo/bar/baz is supposed to be in the
> filesystem)
>
> Is there any harm in adding it? This is the rv from a stat in the
> directory walk.
>
> Index: server/request.c
> ===================================================================
> --- server/request.c (revision 1299737)
> +++ server/request.c (working copy)
> @@ -1094,9 +1094,9 @@
> }
> else if (APR_STATUS_IS_EACCES(rv)) {
> ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(00035)
> - "access to %s denied because search "
> - "permissions are missing on a component "
> - "of the path", r->uri);
> + "access to %s (filesystem path '%s') denied "
> + "because search permissions are missing on a "
> + "component of the path", r->uri, r->filename);
> return r->status = HTTP_FORBIDDEN;
> }
> else if ((rv != APR_SUCCESS && rv != APR_INCOMPLETE)
> @@ -1105,7 +1105,8 @@
> * rather than assume not found.
> */
> ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(00036)
> - "access to %s failed", r->uri);
> + "access to %s (filesystem path '%s') failed",
> + r->uri, r->filename);
> return r->status = HTTP_FORBIDDEN;
> }
>
>
> --
> Eric Covener
> covener@gmail.com
>
RE: printing r->filename for access denied errors
Posted by Plüm,
Rüdiger,
VF-Group <ru...@vodafone.com>.
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Freitag, 16. März 2012 12:55
> To: dev@httpd.apache.org
> Subject: printing r->filename for access denied errors
>
> Seems like IRC users are often confused that permission denied errors
> include the URI only and not the filesystem path.
>
> (They're convinced it's failing because httpd is looking in the wrong
> place for /index.html, or they think we forgot to add a documentroot,
> or have no idea where /foo/bar/baz is supposed to be in the
> filesystem)
>
> Is there any harm in adding it? This is the rv from a stat in the
> directory walk.
>
+1
Regards
Rüdiger
Re: printing r->filename for access denied errors
Posted by Daniel Ruggeri <DR...@primary.net>.
On 3/16/2012 6:54 AM, Eric Covener wrote:
> Seems like IRC users are often confused that permission denied errors
> include the URI only and not the filesystem path.
>
> (They're convinced it's failing because httpd is looking in the wrong
> place for /index.html, or they think we forgot to add a documentroot,
> or have no idea where /foo/bar/baz is supposed to be in the
> filesystem)
>
> Is there any harm in adding it? This is the rv from a stat in the
> directory walk.
Awesome idea.
--
Daniel Ruggeri