You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/03/24 01:37:36 UTC
DO NOT REPLY [Bug 50964] New: Apache HTTPD 2.2 does not parse nested
server side includes properly
https://issues.apache.org/bugzilla/show_bug.cgi?id=50964
Summary: Apache HTTPD 2.2 does not parse nested server side
includes properly
Product: Apache httpd-2
Version: 2.2.17
Platform: PC
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: mod_include
AssignedTo: bugs@httpd.apache.org
ReportedBy: nllamb@msn.com
When enabling includes within HTTPD, Apache 2.2 only parses first-level
<!--#include virtual="/some_file.shtml" --> includes.
Nested includes, while maybe not conventional, should be supported by the
server.
Such situations can occur when a header is created by using something like:
<!--#include virtual="/header.shtml" -->
and within header.shtml it has additional includes like:
<!--#include virtual="/banner.shtml" -->
<!--#include virtual="/contacts.shtml" -->
etc.
When loaded by apache, it responds by passing this data as plaintext.
Recommended solution:
Enable a directive enabling the operator to specify how deep httpd should parse
included documents. Set the default to 1, allow overwrite to some reasonable
max such as 10.
Doing this would allow people to nest server side includes without the
potential of DOSing the system via infinite recursion (in the case of a
self-referencing or otherwise erroneously-coded html doc).
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50964] Apache HTTPD 2.2 does not parse nested
server side includes properly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50964
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #2 from Joe Orton <jo...@redhat.com> 2011-03-26 11:21:23 EDT ---
Nested SSIs work fine, it is highly likely you have some kind of configuration
error; please list a set of steps to reproduce the problem starting from a
vanilla 2.2.17 installation.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50964] Apache HTTPD 2.2 does not parse nested
server side includes properly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50964
--- Comment #6 from Eric Covener <co...@gmail.com> 2011-03-26 15:22:04 EDT ---
That's because you configu(In reply to comment #5)
> The online help doesn't go into clear details on how to tell it which
> extensions/files/etc. to process as an include.
>
> (In reply to comment #4)
> > It treats whatever you tell it to treat as SSI.
Not sure how one could do much better than what's already in the manual:
http://httpd.apache.org/docs/current/mod/mod_include.html#enabling
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50964] Apache HTTPD 2.2 does not parse nested
server side includes properly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50964
--- Comment #8 from Nick Kew <ni...@webthing.com> 2011-03-26 20:56:27 EDT ---
Having come from a windows perspective and stumbled on a gotcha we hadn't
considered, you might be well-placed to contribute to improving the docs. A
section on "making it behave like IIS" would no doubt be of interest to some
users.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50964] Apache HTTPD 2.2 does not parse nested
server side includes properly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50964
Nick <nl...@msn.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |WORKSFORME
--- Comment #7 from Nick <nl...@msn.com> 2011-03-26 15:58:13 EDT ---
Good page except it still seems limited. It would be nice (for Windows users)
to have it parse the files similar to IIS since we don't have the execute bit
capability (as mentioned in the article).
The solution mentioned in my original post seems reasonable to implement and
would work across platforms no serious issues.
As it stands, I have to make every file a .shtml to ensure that when they are
imported HTTPD will be forced to perform processing on it -- this slows
everything down but removes the errors my users experienced.
(In reply to comment #6)
> That's because you configu(In reply to comment #5)
> > The online help doesn't go into clear details on how to tell it which
> > extensions/files/etc. to process as an include.
> >
> > (In reply to comment #4)
> > > It treats whatever you tell it to treat as SSI.
> Not sure how one could do much better than what's already in the manual:
> http://httpd.apache.org/docs/current/mod/mod_include.html#enabling
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50964] Apache HTTPD 2.2 does not parse nested
server side includes properly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50964
--- Comment #5 from Nick <nl...@msn.com> 2011-03-26 15:09:20 EDT ---
The online help doesn't go into clear details on how to tell it which
extensions/files/etc. to process as an include.
(In reply to comment #4)
> It treats whatever you tell it to treat as SSI.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50964] Apache HTTPD 2.2 does not parse nested
server side includes properly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50964
--- Comment #3 from Nick <nl...@msn.com> 2011-03-26 14:55:33 EDT ---
I was able to figure out the probably cause of the issue. Any imported file
with an extension other than .shtml will not be parsed by HTTPD as another
include file.
That is, when my header.shtml included various other .html files, those files
weren't being processed by HTTPD. The workaround was to rename these to .shtml
and modify the links in header.shtml.
However, the underlying issue should still be addressed, which is the fact that
HTTPD doesn't perform recursive processing of directives after updating content
from previous directives.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50964] Apache HTTPD 2.2 does not parse nested
server side includes properly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50964
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution| |INVALID
--- Comment #4 from Eric Covener <co...@gmail.com> 2011-03-26 14:59:00 EDT ---
It treats whatever you tell it to treat as SSI.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50964] Apache HTTPD 2.2 does not parse nested
server side includes properly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50964
--- Comment #1 from Nick <nl...@msn.com> 2011-03-23 20:39:08 EDT ---
Edit: IIS 5 through 7 all properly handle nested server-side includes (when
enabled). Just FYI.
(In reply to comment #0)
> When enabling includes within HTTPD, Apache 2.2 only parses first-level
> <!--#include virtual="/some_file.shtml" --> includes.
> Nested includes, while maybe not conventional, should be supported by the
> server.
> Such situations can occur when a header is created by using something like:
> <!--#include virtual="/header.shtml" -->
> and within header.shtml it has additional includes like:
> <!--#include virtual="/banner.shtml" -->
> <!--#include virtual="/contacts.shtml" -->
> etc.
> When loaded by apache, it responds by passing this data as plaintext.
> Recommended solution:
> Enable a directive enabling the operator to specify how deep httpd should parse
> included documents. Set the default to 1, allow overwrite to some reasonable
> max such as 10.
> Doing this would allow people to nest server side includes without the
> potential of DOSing the system via infinite recursion (in the case of a
> self-referencing or otherwise erroneously-coded html doc).
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org