www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Drew Wells <d...@elysium.ltd.uk>
Subject mod_actions/5700: Apache passes non-existent files to a script
Date Fri, 04 Feb 2000 12:23:33 GMT

>Number:         5700
>Category:       mod_actions
>Synopsis:       Apache passes non-existent files to a script
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Feb 04 04:30:00 PST 2000
>Originator:     drew@elysium.ltd.uk
>Release:        1.3.11
Linux neptune.milton-house.elysium.ltd.uk 2.2.5-22 #1 Wed Jun 2 09:17:03 EDT 1999 i686 unknown
  AddHandler xmlparser .xml
  Action xmlparser /xmlparser.php

If you then request a non-existent .xml file (e.g http://www.anywhere.org/not-here.xml)
Apache doesn't produce a 404 error, it just passes the .xml file URL to the script.
This is only broken in 1.3.11, 404 errors are produced in 1.3.9.

(I thought I had already submitted this bug, but never got any E-Mail about it and
it doesn't appear in the bug database, so this is one last attempt)
Have no example URL's as I have already patched our servers.  But follow the
.htaccess instructions above and give it a try.
*** apache_1.3.11.orig/src/modules/standard/mod_actions.c       Tue Jan 11 14:23:03 2000
--- apache_1.3.11/src/modules/standard/mod_actions.c    Thu Feb  3 19:07:05 2000
*** 245,250 ****
--- 245,255 ----
      if ((t = ap_table_get(conf->action_types,
                          action ? action : ap_default_type(r)))) {
        script = t;
+       if (r->finfo.st_mode == 0) {
+           ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+                       "File does not exist: %s", r->filename);
+           return NOT_FOUND;
+       }

      if (script == NULL) {
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]

View raw message