httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron W Morris <aaronmor...@mindspring.com>
Subject Re: [users@httpd] Cannot Access Includes Above Current Directory
Date Fri, 19 Dec 2003 03:36:10 GMT
Steve Benson wrote:

> Hi,
> I'm new to your list and configuring Apache with the SSL module enabled 
> and have a newbie configuration glitch I've not been able to resolve.
> 
> I've created a number of Apache web sites but this is my first using 
> SSL(mod_ssl incorporated into Apache 2.0.48, openssl). I've never 
> encountered anything like this before in web development.
> 
> My configuration is:
> RH Linux Kernel 2.4.20-8, Apache 2.0.48, OpenSSL -0.9.6l, PHP 4.3.4, 
> Apache was compiled with SSL and SSI enabled.  SSL appears to work OK 
> i.e. recognized by browser, cert and key accepted etc.
> 
> My document root is http - /www/sd/htdocs, https - /www/sd/htdocs/jobs
> I know this is a bit lengthy so please bear with me.
> I don't want anyone accessing the jobs directory without SSL enabled so 
> I have a redirect in httpd.conf to send requests for_ 
> __<http://www/sd/htdocs/jobs>_ to_ <https://www/sd/htdocs/jobs>_ .  The 
> redirect seems to works OK.
> 
> All seems to work fine with http and https access with one blaring 
> exception.
> My scripts have include directives which pull include files from 
> /www/sd/htdocs/include and that all works fine if run from one of the 
> http subdirectories i.e. /www/sd/htdocs/test.
> 
> <!--#include file="../include/middle.html" --> (other non-include SSI 
> commands work OK)
> or
> <?php
> include("../include/prepend.php");
> ....
> ?>
> But if I try the above code from a https directory, say_ 
> <https://www/sd/hddocs/jobs>_ the it will fail with:
> unable to include file "/www/sd/htdocs/include/middle.html" in parsed 
> file /www/sd/htdocs/jobs/index.shtml
> PHP Warning: main(../include/prepend.php): failed to open stream: No 
> such file or directory in /www/sd/htdocs/jobs/index.php on line 4
> 
> Using an absolute path rather than a relative path has no effect.  I 
> even tried a scriptalias clause, same as /cgi-bin/ but /include/ to the 
> include files dir, but that didn't work either.
> 
> There is no problem if I change the include location to 
> /www/sd/htdocs/jobs/include, I can run the scripts fine. So it seems I 
> can include at the same level or below but not up any level in the 
> directory tree if using https.
> 
> Or if I run the scripts from a directory not in the https virtual 
> server's directory tree such as /www/sd/htdocs/test the includes work fine.
> 
> This is the case with all other parts of the web site without SSL, all 
> scripts with include directives work fine.
> So to summarize:
> 
> - All scripts work fine with relative paths to include files as long as 
> they're accessed via http and are not in the https virtual server 
> directory tree structure.
> 
> - When accessing the same scripts within the https virtual server tree 
> the scripts cannot reference any include files that aren't at the same 
> level or below in the directory tree.
> 
> - If the include file is made available at the same level or below, no 
> problem accessing via relative or absolute paths.
> 
> - Even when the paths to include files are changed to absolute paths 
> they fail if the file is above the current directory in the tree.  For 
> some reason I can't go up the directory tree from within the https 
> virtual server directory structure. This is true no matter where I am in 
> the structure i.e. if I'm two levels deep in the directory tree I can't 
> reference a file up one level. If I'm three levels deep I can't 
> reference files back on level two, bummer!
> 
> Seems like such a small thing but with an existing site structure I'd 
> have to replicate many scripts, css',images etc. to make the components 
> I need available within the https virtual server's directory structure. 
> What a maintenance nightmare!
> 
> This seems to be a configuration problem but I've exhausted my resources 
> trying to figure out what within httpd.conf or ssl.conf would be causing 
> this behavior.
> 
> I've searched the web and SSL documentation but I seem to be missing 
> something here and I'm just banging my head against a wall. I've 
> modified both httpd.conf and ssl.conf 'til I'm blue with no change in 
> function.
> 
> I imagine this is some SSL configuration oversight on my part but so far 
> I've been unable to find it and would ask for anyone who may be able to 
> help to please give suggestions on what directive(s) are causing this. 
> I'd really appreciate a point in the right direction on a resolution.
> 
> Any suggestions you may offer are appreciated.
> Thanks for your help,
> 
> .......... Steve**
> 

The reason for this is quite simple.  The "file" directive for includes 
has to be relative to the current path and cannot contain ".." 
Basically, the include has to live in the current directory or in a 
subdirectory.  Use the "virtual" directive in place of the "file" 
directive and it should solve your problem.

"virtual" can reference absolute paths and URLs while "file" cannot.

ie
<!-- #include virtual="../include/middle.html" -->

-- 
Aaron W Morris <aaronmorris@mindspring.com> (decep)




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message