httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: probably a horrible time to bring this up, but, bug..
Date Thu, 04 Jul 1996 05:12:28 GMT
On Wed, 3 Jul 1996, Nathan Neulinger wrote:

> Ok, I had sent a bug report a long while back with some of the early 1.1
> betas, that seemed to have been fixed in 1.1b3. (Which was very very stable
> and reliable for me on HP-UX 9.05).
> However, the bug seems to have been reintroduced in either b5 or the final
> 1.1.

Arrrrrrrrrrrrrgh. It looks like some idiot by the name of Alexei Kosut,
five months ago, when he submitted a patch to allow Redirect in .htaccess
files, completely screwed up. This patch, which for some
God-only-knows-what reason got applied to the Apache distribution and ran
unquestioned in all releases following, had the following flaws:

1) It added these redirects directly to the server configuration,
   not a seperate per-dir config, which would be the correct thing to do

2) It did not check to see if the user was authorized to perform the
   redirect in question - if it had added them to a per-dir config and
   not a server one, checks would not have been neccessary. (see 1)

3) In altering the server config (which it shouldn't have done, see 1), it
   used per-request pool memory, which was unallocated and got really
   screwy as soon as the request was over. This explains the weird

If anyone sees this Alexei character, or those who +1ed the patch (there
must have been some who looked at it), shoot them.

I'll try and work up a patch later. We may need a 1.1.1. This is very
dangerous, since any idiot can put "Redirect / <anything here>" in their
.htaccess file and screw to heck every request to the server.

*sigh* Why didn't anyone notice this before, is what I'm wondering? It
never showed up while I was testing it, probably purely by chance.
Somebody put we out of everyone's misery.

A quick fix is to just remove the functionality; change the OR_FILEINFO in
mod_alias.c to RSRC_CONF. The proper fix is to set up a per-dir config
structure and use that to store .htaccess-invoked Redirects.


-- Alexei Kosut <>            The Apache HTTP Server

View raw message