www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zoli Kiss <zoli1...@yahoo.com>
Subject mod_include/5300: When server side includes are enabled paths such as: http://server/index.html/foo/foo/ are accepted.
Date Sat, 13 Nov 1999 04:59:55 GMT

>Number:         5300
>Category:       mod_include
>Synopsis:       When server side includes are enabled paths such as: http://server/index.html/foo/foo/
are accepted.
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Nov 12 21:10:01 PST 1999
>Last-Modified:
>Originator:     zoli1000@yahoo.com
>Organization:
apache
>Release:        1.3.6
>Environment:
Solaris 2.6 Latest patches
>Description:
When server side includes are enabled, I can enter additional junk
on the end of the URL, and Apache does not complain. This may not
really be an error, but somehow while Verity is spidering the site,
it gets caught in endless loops trying to insert URLs like:
http://www.server.com/index.html/IT/info/<other hrefs>
If I change my Option line in access.conf, and remove Includes, then
I get a page not found error, as I would expect, from Apache.

I thought I got rid of this problem when I disabled MultiViews,
but I guess not.

I cannot disable SSI since tons of our pages use it, but I can't
get Verity to work correctly either.

I would be very happy to receive any fixes, work arounds, 
comments, etc.

Please Help
Thanks,
Zoli
>How-To-Repeat:
To duplicate this, type in the following URL:
http://www.apache.org/index.html/foo/foo/foo/foo/
Then click on one of the relative links, like FAQ or Foundation
You will see that it will not make it to these URLs, but it will
accept them.

If you update the conf file, and remove the Include Option, this
same URL will not be allowed.
>Fix:
I guess, the mod_include code would need to verify that the full/entire path
is valid ?
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]




Mime
View raw message