httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@organic.com>
Subject Re: probably a horrible time to bring this up, but, bug..
Date Thu, 04 Jul 1996 05:12:28 GMT
On Wed, 3 Jul 1996, Nathan Neulinger wrote:

> Ok, I had sent a bug report a long while back with some of the early 1.1
> betas, that seemed to have been fixed in 1.1b3. (Which was very very stable
> and reliable for me on HP-UX 9.05).
> 
> However, the bug seems to have been reintroduced in either b5 or the final
> 1.1.

Arrrrrrrrrrrrrgh. It looks like some idiot by the name of Alexei Kosut,
five months ago, when he submitted a patch to allow Redirect in .htaccess
files, completely screwed up. This patch, which for some
God-only-knows-what reason got applied to the Apache distribution and ran
unquestioned in all releases following, had the following flaws:

1) It added these redirects directly to the server configuration,
   not a seperate per-dir config, which would be the correct thing to do

2) It did not check to see if the user was authorized to perform the
   redirect in question - if it had added them to a per-dir config and
   not a server one, checks would not have been neccessary. (see 1)

3) In altering the server config (which it shouldn't have done, see 1), it
   used per-request pool memory, which was unallocated and got really
   screwy as soon as the request was over. This explains the weird
   redirects.

If anyone sees this Alexei character, or those who +1ed the patch (there
must have been some who looked at it), shoot them.

I'll try and work up a patch later. We may need a 1.1.1. This is very
dangerous, since any idiot can put "Redirect / <anything here>" in their
.htaccess file and screw to heck every request to the server.

*sigh* Why didn't anyone notice this before, is what I'm wondering? It
never showed up while I was testing it, probably purely by chance.
Somebody put we out of everyone's misery.

A quick fix is to just remove the functionality; change the OR_FILEINFO in
mod_alias.c to RSRC_CONF. The proper fix is to set up a per-dir config
structure and use that to store .htaccess-invoked Redirects.

Arrgh.

-- Alexei Kosut <akosut@organic.com>            The Apache HTTP Server 
   http://www.nueva.pvt.k12.ca.us/~akosut/      http://www.apache.org/


Mime
View raw message