www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@covalent.net>
Subject Re: mod_dir/7804: filesmatch/directoryindex access
Date Wed, 31 Oct 2001 04:45:30 GMT
From: "Soeren Sonnenburg" <sonnenburg@informatik.hu-berlin.de>
Sent: Tuesday, October 30, 2001 2:30 AM

>  > This fails for a very specific reason.  The _filename_ / wasn't permitted
>  > before mod_dir ever had a chance to recover from your misconfiguration.
>  >
>  > This was nothing more than a misconfiguration.
>  I do not think so. Even after dropping the FilesMatch section ending in a
>  simple configuration like
>  <Directory />
>  Order deny,allow
>  deny from all
>  </Directory>
>  <Directory /var/www>
>  <FilesMatch "\.(html|png|gif|jpeg|jpg|php)$">
>  Order allow,deny
>  allow from all
>  </FilesMatch>
>  </Directory>
>  apache _does_ not allow http://server or http://server/.

Your request is first hitting the _directory_ file /var/www.  www is not in your FilesMatch
schema, so the request is rejected by authn.  Once rejected, mod_dir is not allowed to go
off and find a file, since that would expose the server to nefarious bypass exploits.

>  This should work, but wrongly http://server is not expanded to
>  http://server/index.html and therefore denied !

No, because /var/www is the file you requested, since that file is the DocumentRoot of your

>  However I can see any file in matching the specific endings below /var/www/
>  when explicitely stating them (http://server/index.html)

Sure, you didn't request the file www, you requested /var/www/index.html, which matches.

>  Moreover I do not see why
>  <FilesMatch "^...$|\.(html|php|gif|jpeg|jpg|png|js|css|jar)$">
>  allows http://server and not  ^.$

Because you've told it to accept filenames of any three characters.  That works for www.
You've got to realize that the trailing '.' on win32 filenames is _not_ a real character
in the filename, so matching on \.$ won't work.  Matching on ^[^\.]*$  would, since it 
says match any file with no period (extension) whatsoever.

>  As it is now, I can not protect the web server (denying all directory access
>  and selectively allowing files with specific fileendings in certain
>  directories and below) and allowing http://server ! If you can please tell
>  me how.

Somehow some 19+ million sites managed to deal with the existing config schema.  Please
see apacheweek.com and apachetoday.com for interesting articles on security, and address
these configuration questions to the comp.infosystems.www.servers.unix for further 
discussion.  I certainly wouldn't recommend it, but you could even try moving mod_dir
before mod_access.  There are plenty of resources, but this bug report is closed.

View raw message