httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 58854] New: RewriteRule in .htaccess ignores 'Require all denied' when 403 ErrorDocument is missing
Date Wed, 13 Jan 2016 23:58:26 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=58854

            Bug ID: 58854
           Summary: RewriteRule in .htaccess ignores 'Require all denied'
                    when 403 ErrorDocument is missing
           Product: Apache httpd-2
           Version: 2.4.18
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: regression
          Priority: P2
         Component: mod_rewrite
          Assignee: bugs@httpd.apache.org
          Reporter: kurt.newman@cpanel.net

Note
 Some of the examples below may be "expected", but the results seem incorrect
in a couple of the cases.

Synopsis:
 1. Apache 2.2 used to treat "RewriteRule .* goodbye.txt" and "RewriteRule .*
/goodbye.txt" identically by treating goodbye.txt as a file in the docroot
(even beginning / was missing).
 2. Apache 2.2 used to correctly forbid access to a goodbye.txt when a
directive above it prevented access (e.g. Order deny,allow\nDeny from all)
 3. This no longer works in Apache 2.4

Example of Apache 2.4.18 working correctly:
 1. Create /home/cgihw/public_html/.htaccess:
    Require all denied
    RewriteEngine on
    RewriteRule .* /goodbye.txt [L]
 2. Remove file: rm -f /home/cgihw/public_html/403.shtml
 3. Remove file: rm -f /home/cgihw/public_html/missing.txt
 4. Create file: echo "goodbye world" > /home/cgihw/public_html/goodbye.txt
 5. Navigate to http://cgihw.loc/missing.txt
 6. Observe that Apache 2.4.18 gives a 403 Forbidden response
 7. Observe the default LimitInternalRecursion limit of 10 is hit
 8. Observe that no Internal server error is presented to user user

Example of Apache 2.4.18 working incorrectly:
 1. Create /home/cgihw/public_html/.htaccess:
    Require all denied
    RewriteEngine on
    RewriteRule .* goodbye.txt [L]
 2. Remove file: rm -f /home/cgihw/public_html/403.shtml
 3. Remove file: rm -f /home/cgihw/public_html/missing.txt
 4. Create file: echo "goodbye world" > /home/cgihw/public_html/goodbye.txt
 5. Navigate to http://cgihw.loc/missing.txt
 6. Observe that you are incorrectly presented with the contents of goodbye.txt
 7. Observe that the LimitInternalRecursion limit is never compared against
 8. Observe that no Internal server error is presented to the user

Example of Apache 2.4.18 erroneously present Internal server error
 1. Create /home/cgihw/public_html/.htaccess:
    Require all granted
    RewriteEngine on
    RewriteRule .* /goodbye.txt [L]
 2. Remove file: rm -f /home/cgihw/public_html/403.shtml
 3. Remove file: rm -f /home/cgihw/public_html/missing.txt
 4. Create file: echo "goodbye world" > /home/cgihw/public_html/goodbye.txt
 5. Navigate to http://cgihw.loc/missing.txt
 6. Observe that you are now presented with an Internal server error, instead
    of a forbidden message
 7. Observe the default LimitInternalRecursion limit of 10 is hit

Background Notes
 - This seems to be a problem within mod_rewrite not setting the
redirect-handler correctly for the generated sub request when the 403
ErrorDocument is missing.  The log indicates that the request is denied, yet
the web server still presents the user with content.
 - This used to work in Apache 2.2, but no longer works in Apache 2.4.18.  The
difference being, Apache 2.2 used the 'Order' directive, and not 'Require'
directive.

I've attached the following files:
 - Example httpd.conf (file: broken.conf)
 - Configure line used to compile Apache 2.4.18
 - Log output for success
 - Log output for regression

Please see logs, configure line, and example Apache configuration for more
detailed information.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message