httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <>
Subject Re: [users@httpd] SSI and accepting bad URL.
Date Fri, 09 Jun 2006 16:16:27 GMT
On 6/9/06, Ahn, Chang <> wrote:
> I've just noticed an unusual behavior with Server-Side Include.  With
> SSI enabled, I can continuously add the page name and still pull the
> same page.  Basically
> m.shtml is the same page as
>  Instead of a 404, it
> actually finds the page.
> It's not rewrite rules; I removed them.  And I don't have any Redirect
> rules.  When I comment out the AddHandler directive, the problem goes
> away.  I'm not sure if this is a recent occurrence with 1.3.34 (and I
> haven't found it in the bug report or FAQ).  It's such a weird problem,
> I haven't been able to find any information on it (I'm probably not
> using the right search term because I'm not sure how to phrase this
> problem).
> I'm on Apache 1.3.34 and enabled SSI with the following directives:
> Options -ExecCGI -FollowSymLinks -Indexes +IncludesNOEXEC
> AddType text/html .shtml
> AddHandler server-parsed .shtml
> Any idea why SSI would allow these bad URL?

They aren't bad URLs.  They are URLs with PATH_INFO tagged on the end,
which can be used by your CGI script.  (Think, for example, of a
script like which
could grab /home/page.html and process it.)

In 2.x, you have the AllowPathInfo directive to control this behavior.

In 1.3, you'd need to use a hack like
<LocationMatch \.shtml/.+>
Order deny,allow
Deny from all


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message