You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/04/06 00:06:01 UTC

DO NOT REPLY [Bug 28218] New: - errors in regular expressions for LocationMatch cause silent failures

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28218>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28218

errors in regular expressions for LocationMatch cause silent failures

           Summary: errors in regular expressions for LocationMatch cause
                    silent failures
           Product: Apache httpd-1.3
           Version: 1.3.29
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: kjw@acm.org


We discovered a Location block that was not working in one of our apache 
configs and one of the few changes was the addition of a slightly broken 
looking regular expression which featured something like this

<Location ~ ^/something/||^/something-else/>

</Location>

The problem turned out to be the ||. I had a quick glance through the code and 
it reads like the regular expression library doesn't like this and regards it 
as an error (i note solaris egrep errors, perl thinks its ok). The problem is 
that this error is not reported to the user so the configuration appears to be 
ok when the process is started. I think this is both confused to the naive 
configuration creator and potentially dangerous if the Location block contains 
some critical (say, security-related) directives.

It looks like the (handful of) ap_pregcomp calls in http_core.c do not check 
for a NULL return code that would indicate a failed compilation. So this
affects Location ~, LocationMatch, Directory ~, DirectoryMatch, Files ~, 
FilesMatch.

Perhaps this problem exists in apache 2.0 as well? And maybe other areas of 
apache 1.3 (not mod_alias, just had a look there!).

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org