You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Axel Beckert <ax...@dagstuhl.de> on 1999/03/14 18:45:41 UTC

mod_setenvif/4055: SetEnvIf truncates the query string from $REQUEST_URI when matching against regexp

>Number:         4055
>Category:       mod_setenvif
>Synopsis:       SetEnvIf truncates the query string from $REQUEST_URI when matching against regexp
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sun Mar 14 09:50:01 PST 1999
>Last-Modified:
>Originator:     axel@dagstuhl.de
>Organization:
apache
>Release:        1.3.4
>Environment:
SunOS dagoffice 4.1.4 11 sun4m, Sun SparcStation 10
gcc version 2.6.3
>Description:
(BTW: Maybe, this is just a doc-bug...)

When matching a regexp against $REQUEST_URI with SetEnvIf or SetEnvIfNoCase, 
the query string is truncated from the URI.

In my access.conf I've written:

SetEnvIf Request_URI test$ is_a_test
<FilesMatch test\..*>
	Order allow,deny
	Allow from all
	Deny from env=is_a_test
</FilesMatch>

With this configuration, a request to
	http://www.dagstuhl.de:8042/test.shtmltest
produces a 403 error as it should, but 
	http://www.dagstuhl.de:8042/test.shtml?test
doesn't. And
	http://www.dagstuhl.de:8042/test.test?html
produces a 403 error, too, but it shouldn't.

The documentation in mod_setenvif.html says "Request_URI - the portion of 
the URL following the scheme and host portion". And when using <!--#printenv -->
$REQUEST_URI contains the query string while e.g. $DOCUMENT_STRING doesn't.
>How-To-Repeat:
See above. This URL should be available at least next week. If not, the server 
isn't for testing anymore and moved to port 80. :-)
>Fix:
- Update documentation in mod_setenvif.html to "Request_URI - the portion of 
  the URL following the scheme and host portion, but in comparsion to 
  mod_include.c without the query string" (But IMHO this solution would be 
  quite inconsistent!)
- Or match $REQUEST_URI without trucated query string against the regexp
- Or rename REQUEST_URI in mod_setenvif.c into DOCUMENT_URI

But I would be glad, if the fix would include a regexp matching against the 
query string in any way.

BTW: The documentation doesn't exactly tell me all of the available environment
variables I can use with SetEnvIf, it just says "including the following:" or 
"Some of the more commonly used request headers are:" or "Example:". No where
is mentioned, that I can't use e.g. $QUERY_STRING, although this is IMHO a 
"more commonly used request header"... It would be nice, if all available 
variables would be listed.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]