You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Axel Beckert <ax...@dagstuhl.de> on 1999/03/14 18:45:41 UTC
mod_setenvif/4055: SetEnvIf truncates the query string from $REQUEST_URI when matching against regexp
>Number: 4055
>Category: mod_setenvif
>Synopsis: SetEnvIf truncates the query string from $REQUEST_URI when matching against regexp
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Sun Mar 14 09:50:01 PST 1999
>Last-Modified:
>Originator: axel@dagstuhl.de
>Organization:
apache
>Release: 1.3.4
>Environment:
SunOS dagoffice 4.1.4 11 sun4m, Sun SparcStation 10
gcc version 2.6.3
>Description:
(BTW: Maybe, this is just a doc-bug...)
When matching a regexp against $REQUEST_URI with SetEnvIf or SetEnvIfNoCase,
the query string is truncated from the URI.
In my access.conf I've written:
SetEnvIf Request_URI test$ is_a_test
<FilesMatch test\..*>
Order allow,deny
Allow from all
Deny from env=is_a_test
</FilesMatch>
With this configuration, a request to
http://www.dagstuhl.de:8042/test.shtmltest
produces a 403 error as it should, but
http://www.dagstuhl.de:8042/test.shtml?test
doesn't. And
http://www.dagstuhl.de:8042/test.test?html
produces a 403 error, too, but it shouldn't.
The documentation in mod_setenvif.html says "Request_URI - the portion of
the URL following the scheme and host portion". And when using <!--#printenv -->
$REQUEST_URI contains the query string while e.g. $DOCUMENT_STRING doesn't.
>How-To-Repeat:
See above. This URL should be available at least next week. If not, the server
isn't for testing anymore and moved to port 80. :-)
>Fix:
- Update documentation in mod_setenvif.html to "Request_URI - the portion of
the URL following the scheme and host portion, but in comparsion to
mod_include.c without the query string" (But IMHO this solution would be
quite inconsistent!)
- Or match $REQUEST_URI without trucated query string against the regexp
- Or rename REQUEST_URI in mod_setenvif.c into DOCUMENT_URI
But I would be glad, if the fix would include a regexp matching against the
query string in any way.
BTW: The documentation doesn't exactly tell me all of the available environment
variables I can use with SetEnvIf, it just says "including the following:" or
"Some of the more commonly used request headers are:" or "Example:". No where
is mentioned, that I can't use e.g. $QUERY_STRING, although this is IMHO a
"more commonly used request header"... It would be nice, if all available
variables would be listed.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]