You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Steve VanDevender <st...@darkwing.uoregon.edu> on 2000/11/10 21:08:37 UTC
other/6829: mod_vhost_alias treats /cgi-bin/ specially even if VirtualScriptAlias is unset
>Number: 6829
>Category: other
>Synopsis: mod_vhost_alias treats /cgi-bin/ specially even if VirtualScriptAlias is unset
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Fri Nov 10 12:10:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: stevev@darkwing.uoregon.edu
>Release: 1.3.14
>Organization:
apache
>Environment:
Solaris 2.7 with current recommended patches
Apache 1.3.14 compiled with gcc 2.8.1 (-O3 -fschedule-insns -pipe)
features enabled: suexec, mod_status, mod_info, mod_vhost_alias
>Description:
When mod_vhost_alias is used for mass virtual hosting, leaving
VirtualScriptAlias unset results in all accesses to anything in a virtual host
/cgi-bin/ being denied. This differs from the behavior of regular virtual hosts
when ScriptAlias is unset, where instead /cgi-bin/ acts like any other
subdirectory.
Examining the code for mva_translate() in mod_vhost_alias.c shows that it always
attempts to handle /cgi-bin/ specially even if
conf->cgi_root_mode == VHOST_ALIAS_UNSET, resulting in those accesses being
denied in that case.
>How-To-Repeat:
Enable mod_vhost_alias in an Apache server. Leave VirtualScriptAlias and
VirtualScriptAliasIP unset when configuring mass virtual hosting. Configure a
mass virtual host that contains a cgi-bin directory under its document root, and
place a CGI program or document in it. Attempt to access that CGI program or
document. Compare the behavior with that of a regular VirtualHost when
ScriptAlias is unset and the virtual host contains a cgi-bin directory under its
document root.
>Fix:
I am testing the patch to mod_vhost_alias.c included below, which modifies the
mva_translate() function so that if VirtualScriptAlias is unset, URI
translation is done according to the VirtualDocumentRoot setting without special
handling of /cgi-bin/.
===================================================================
RCS file: RCS/mod_vhost_alias.c,v
retrieving revision 1.1
diff -u -r1.1 mod_vhost_alias.c
--- mod_vhost_alias.c 2000/11/10 01:34:25 1.1
+++ mod_vhost_alias.c 2000/11/10 19:28:24
@@ -412,26 +412,25 @@
mva_sconf_t *conf;
const char *name, *map, *uri;
mva_mode_e mode;
- const char *cgi;
+ int cgi;
conf = (mva_sconf_t *) ap_get_module_config(r->server->module_config,
&vhost_alias_module);
- cgi = strstr(r->uri, "cgi-bin/");
- if (cgi && cgi - r->uri != strspn(r->uri, "/")) {
- cgi = NULL;
+ cgi = 0;
+ if (r->uri[0] != '/') {
+ return DECLINED;
}
- if (cgi) {
+ if (conf->cgi_root_mode != VHOST_ALIAS_UNSET &&
+ strncmp(r->uri + strspn(r->uri, "/"), "cgi-bin/", 8) == 0) {
+ cgi = 1;
mode = conf->cgi_root_mode;
map = conf->cgi_root;
- uri = cgi + strlen("cgi-bin");
+ uri = r->uri + strspn(r->uri, "/") + strlen("cgi-bin");
}
- else if (r->uri[0] == '/') {
+ else {
mode = conf->doc_root_mode;
map = conf->doc_root;
uri = r->uri;
- }
- else {
- return DECLINED;
}
if (mode == VHOST_ALIAS_NAME) {
>Release-Note:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]