You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/08/24 19:33:36 UTC

[Bug 53483] dangerous PCRE patterns in *Match directives

https://issues.apache.org/bugzilla/show_bug.cgi?id=53483

Aurelio Jargas <ve...@aurelio.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW
                 CC|                            |verde@aurelio.net

--- Comment #6 from Aurelio Jargas <ve...@aurelio.net> ---
I agree with Christoph about the documentation problems for these directives.
They're not wrong, but some additional warning must be made to avoid
"over-matching".

The problem is that regex is *always* a partial match, but the non-regex
counterparts do a full match. This makes a huge difference.

    <Files "image.png">
    Matches image.png, but not myimage.png nor image.png.zip.

    <FilesMatch "image\.png">
    Matches image.png, myimage.png, image.png.zip, image.png/foo, ...

This partial match is not expected by the user, since the non-regex directive
does not work that way. It's important to make this distinction very clear in
the docs, in all the path-related directives.

And also encourage the use of anchors and slashes to avoid the undesired
partial matches.

    <FilesMatch "/image\.png$">
    Matches image.png only, in any folder.

    <FilesMatch "^/image\.png$">
    Matches image.png only, in root folder.

Slashes and $ are tricky in folder-related directives, such as in
<DirectoryMatch>.

    <Directory "foo">
    Matches folder foo, in any folder

    <DirectoryMatch "foo">
    Matches folders foo, foobar, myfoo, … in any folder

    <DirectoryMatch "/foo">
    Matches folders foo, foobar, … in any folder

    <DirectoryMatch "/foo/">
    Matches folder foo, in any folder

    <DirectoryMatch "^/foo/">
    Matches root folder foo, *and all its subfolders*, because of the partial
match.

    <DirectoryMatch "^/foo/$">
    Matches root folder foo
    (only works in v2.4, see Bug 49809)

    <DirectoryMatch "/foo/$">
    Matches folder foo, as the last path component, in any folder
    (only works in v2.4, see Bug 49809)

For the user, it's difficult to understand all these subtle differences without
examples and proper explanation.

MY SUGGESTION

Since the partial match is the great culprit for the confusion, my suggestion
for the docs is to update all the examples to use full anchored regexes, with ^
and $, and encourage the user to *always* do it this way, to avoid unexpected
results. Even if all she wants is a partial match:

    <FilesMatch "^.+\.(gif|png|jpg)$">
    <DirectoryMatch "^.*/secret/.*$">

Then all the mentioned problems are reduced to only one problem: make your full
regex right. No Apache inner workings knowledge necessary. And if you don't
know regex, don't mess with it :)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org