Return-Path: Delivered-To: apache-bugdb-archive@hyperreal.org Received: (qmail 1147 invoked by uid 6000); 2 Apr 1998 19:10:04 -0000 Received: (qmail 1085 invoked by uid 2001); 2 Apr 1998 19:10:01 -0000 Received: (qmail 28958 invoked by uid 2012); 2 Apr 1998 19:05:44 -0000 Message-Id: <19980402190544.28957.qmail@hyperreal.org> Date: 2 Apr 1998 19:05:44 -0000 From: Dan Stevenson Reply-To: daniels@media.mit.edu To: apbugs@hyperreal.org X-Send-Pr-Version: 3.2 Subject: general/2030: spelling error possibilities include files that shouldn't be seen Sender: apache-bugdb-owner@apache.org Precedence: bulk >Number: 2030 >Category: general >Synopsis: spelling error possibilities include files that shouldn't be seen >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Apr 2 11:10:01 PST 1998 >Last-Modified: >Originator: daniels@media.mit.edu >Organization: apache >Release: 1.3b5 >Environment: Sun Solaris 2.5 from uname -a: SunOS barrett-1 5.5.1 Generic_103640-12 sun4m sparc SUNW,SPARCstation-5 >Description: When the client requests a URL that does not exist, and mod_speling cannot find a single replacement, it lists many possibilities (code 300, multiple choices). Those include URLs that, when selected, generate 403 (or other) errors because they are forbidden. In fact, the read permissions are such that the user that runs the httpd (nobody) should be unable to see the files. >How-To-Repeat: http://classics.mit.edu/Tacitus/histories.123.html the files ending in .gz have file permissions 400, where the owner is not the userid of the httpd. >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]