httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] SSI and accepting bad URL.
Date Fri, 09 Jun 2006 16:16:27 GMT
On 6/9/06, Ahn, Chang <ahnc@staff.abanet.org> wrote:
> I've just noticed an unusual behavior with Server-Side Include.  With
> SSI enabled, I can continuously add the page name and still pull the
> same page.  Basically
> http://www.abanet.org/tax/taxtips4u/scam.shtml/scam.shtml/scam.shtml/sca
> m.shtml is the same page as
> http://www.abanet.org/tax/taxtips4u/scam.shtml.  Instead of a 404, it
> actually finds the page.
>
> It's not rewrite rules; I removed them.  And I don't have any Redirect
> rules.  When I comment out the AddHandler directive, the problem goes
> away.  I'm not sure if this is a recent occurrence with 1.3.34 (and I
> haven't found it in the bug report or FAQ).  It's such a weird problem,
> I haven't been able to find any information on it (I'm probably not
> using the right search term because I'm not sure how to phrase this
> problem).
>
> I'm on Apache 1.3.34 and enabled SSI with the following directives:
>
> Options -ExecCGI -FollowSymLinks -Indexes +IncludesNOEXEC
> AddType text/html .shtml
> AddHandler server-parsed .shtml
>
> Any idea why SSI would allow these bad URL?

They aren't bad URLs.  They are URLs with PATH_INFO tagged on the end,
which can be used by your CGI script.  (Think, for example, of a
script like http://example.com/convert-to-pdf.cgi/home/page.html which
could grab /home/page.html and process it.)

In 2.x, you have the AllowPathInfo directive to control this behavior.

In 1.3, you'd need to use a hack like
<LocationMatch \.shtml/.+>
Order deny,allow
Deny from all
</LocationMatch>

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message