httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52465] New: mod_dir is allowed to redirect proxy requests
Date Fri, 13 Jan 2012 16:53:00 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52465

             Bug #: 52465
           Summary: mod_dir is allowed to redirect proxy requests
           Product: Apache httpd-2
           Version: 2.2.21
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_rewrite
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: matthew.byng-maddick@bbc.co.uk
    Classification: Unclassified


There exists a code path where, if you have a directory <docroot>/foo (or
similar aliased directory, and you do something like:

<Location /foo>
  RewriteRule ^ http://some.other.server%{REQUEST_URI} [P]
</Location>

If you request /foo (no trailing slash), you go through your request phases, do
URI->filename translation, lookup the file (and find it exists), so you set
r->finfo up (particularly with r->finfo.filetype == APR_DIR) from the stat
call, and then you get to your fixups.

mod_rewrite does its fixup, rewriting r->filename to
proxy:http://some.other.server/foo, as it should, it then sets up r->handler to
be proxy_server, and sets r->proxyreq to be PROXY_REVERSE, as it should.

Unfortunately, r->finfo.filetype is still set, so when mod_dir comes to do
*its* fixups, it finds that the finfo.filetype is APR_DIR, it then finds that
the uri doesn't have a trailing slash, so it helpfully redirects to one that
does.

There are 2 possible fixes for this, and it might be worth applying both:
(1) mod_dir.c:dir_fixups(), at the beginning add something that checks for
r->proxyreq, r->filename and !strncmp(r->filename, "proxy:", 6), and returns
DECLINED.
(2) mod_rewrite.c:hook_fixup(), before the log line:
            rewritelog((r, 1, dconf->directory, "go-ahead with proxy request "
                        "%s [OK]", r->filename));
add: r->finfo.filetype = APR_NOFILE;

Either, on their own will sort out the problem, but there may be other ways to
get to either state, so it seems sensible to belt-and-braces...

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message