httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 56084] Apache ignores access control when using FastCGI (mod_alias & mod_action)
Date Wed, 29 Jan 2014 02:01:01 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=56084

Eric Covener <covener@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #1 from Eric Covener <covener@gmail.com> ---
Every request to /fcgi-php-fpm is mapped to something that doesn't exist on
disk (by the Alias directive), so no <Directory> or <Files> configuration is
applicable.

In other words, httpd is not mapping any of those PHP files to disk.  So from
its perspective, there is no access control.

The fcgi script executes whatever you pass it (as PATH_INFO?), but most of the
limiting in httpd that would limit URLs or PATH_INFO will apply the same to the
original request as it does when mod_actions internally redirects it.

Can you log %{SCRIPT_FILENAME}e, %{PATH_TRANSLATED}e, and %{PATH_INFO}e for
both cases?

append to httpd.conf:

  CustomLog logs/pr56084.log "%h %l %u %t \"%r\" %>s %b SF=%{SCRIPT_FILENAME}e
PT=%{PATH_TRANSLATED}e PI=%{PATH_INFO}e"

Unfortunately even if these differ, they are not set until the handler is
already running, so it would not be useful for core apache directives to act
on.  But it might be useful for mod_fastcgi or php-fpm.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message