Bug 41867

Summary: <DirectoryMatch> Matches Files
Product: Apache httpd-2 Reporter: imacat <imacat>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED LATER    
Severity: normal CC: charles.belov, jkaluza, luhliari
Priority: P2 Keywords: MassUpdate
Version: 2.2.8   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: append trailing slash to directory
another approach
another approach v2

Description imacat 2007-03-16 08:52:32 UTC
Hi.  This is imacat from Taiwan.  I'm using the newest Apache 2.2.4.  I
found that <DirectoryMatch> matches not only directories, but also files.  The
attached is a small piece of terminal log showing that <DirectoryMatch> matches
partial part of the path, but not the directories.

    Pleas tell me if I can be of any help, or if you need any more information.
 Thank you.

======================
imacat@rinse ~ % ls -l /tmp/apache/htdocs
total 8
drwxr-xr-x  2 imacat users 4096 Mar 16 23:44 private
-rw-r--r--  1 imacat users   40 Mar 16 23:40 privatedetective.txt
imacat@rinse ~ % cat /tmp/apache/htdocs/privatedetective.txt
Sherlock Holmes is a private detective.
imacat@rinse ~ % cat /tmp/apache/httpd.conf
User nobody
Group nogroup
ServerName localhost
ServerAdmin webmaster@localhost
ServerRoot /tmp/apache
DocumentRoot /tmp/apache/htdocs
PidFile /tmp/apache/httpd.pid
LoadModule authz_host_module /usr/lib/apache2/mod_authz_host.so
Listen 50080
ErrorLog /tmp/apache/error_log

<DirectoryMatch ^/tmp/apache/htdocs/private>
  Order allow,deny
</DirectoryMatch>
imacat@rinse ~ % /usr/sbin/httpd -f /tmp/apache/httpd.conf
imacat@rinse ~ % telnet localhost 50080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /privatedetective.txt HTTP/1.1
Host: localhost
Connection: close

HTTP/1.1 403 Forbidden
Date: Fri, 16 Mar 2007 15:46:45 GMT
Server: Apache/2.2.4 (Unix)
Content-Length: 222
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /privatedetective.txt
on this server.</p>
</body></html>
Connection closed by foreign host.
imacat@rinse ~ % kill $(<//tmp/apache/httpd.pid)
imacat@rinse ~ %
Comment 1 rahul 2008-07-30 03:45:59 UTC
Could not reproduce this in 2.3 trunk
Here is what I tried,
|pwd
/space/store/apache.18.Jul/install
|echo "Hello" > ./htdocs/apache_test.txt

httpd.conf:
<DirectoryMatch ^/space/store/apache.18.Jul/install/htdocs/apache>
    deny from all
</DirectoryMatch>

|telnet 0 8080      
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
GET /apache_test.txt HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 30 Jul 2008 10:29:30 GMT
Server: Apache/2.3.0-dev (Unix)
Last-Modified: Wed, 30 Jul 2008 10:28:38 GMT
ETag: "60126-6-4533b384084df"
Accept-Ranges: bytes
Content-Length: 6
Connection: close
Content-Type: text/plain

Hello
Comment 2 imacat 2008-07-30 12:09:19 UTC
(In reply to comment #1)
> Could not reproduce this in 2.3 trunk

Well, I have confirmed that this issue still exists in 2.2.8.
Could you please tell me how to obtain the 2.3 trunk, so that I can test it?  Thank you.
Comment 3 rahul 2008-07-30 12:22:15 UTC
> Well, I have confirmed that this issue still exists in 2.2.8.
> Could you please tell me how to obtain the 2.3 trunk, so that I can test it? 
> Thank you.

get the tar ball from http://svn.apache.org/snapshots/httpd/ 

(Yes it exists in 2.2.8)
Comment 4 imacat 2008-08-05 22:00:54 UTC
Hi.  This is imacat from Taiwan.  Sorry for the reply delay.  It took me some time to let 2.3 run.

(In reply to comment #3)
> get the tar ball from http://svn.apache.org/snapshots/httpd/ 

    It does not work, for httpd_20080805161439.tar.gz.  The terminal log is below.  I used my test case and yours.  Both fails.  Did I fail to load some module?

    Please tell me if there is any question, or if I could be of any help.  Thank you.

imacat@rinse ~ % ls -l /tmp/apache/htdocs
total 8
drwxr-xr-x 2 imacat users 4096 Aug  6 12:42 private
-rw-r--r-- 1 imacat users   40 Aug  6 12:34 privatedetective.txt
imacat@rinse ~ % cat /tmp/apache/htdocs/privatedetective.txt
Sherlock Holmes is a private detective.
imacat@rinse ~ % cat /tmp/apache/httpd.conf
DocumentRoot /tmp/apache/htdocs
PidFile /tmp/apache/httpd.pid
LoadModule access_compat_module /tmp/httpd-2.3/modules/aaa/.libs/mod_access_compat.so
Listen 50080
ErrorLog /tmp/apache/error_log

<DirectoryMatch ^/tmp/apache/htdocs/private>
  Deny from all
</DirectoryMatch>
imacat@rinse ~ % ls -l /tmp/httpd-2.3/CHANGES
-rw-r--r-- 1 imacat users 18371 Aug  5 00:14 /tmp/httpd-2.3/CHANGES
imacat@rinse ~ % /tmp/httpd-2.3/httpd -f /tmp/apache/httpd.conf
imacat@rinse ~ % telnet localhost 50080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /privatedetective.txt HTTP/1.1
Host: localhost
Connection: close

HTTP/1.1 403 Forbidden
Date: Wed, 06 Aug 2008 04:47:44 GMT
Server: Apache/2.3.0-dev (Unix)
Content-Length: 222
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /privatedetective.txt
on this server.</p>
</body></html>
Connection closed by foreign host.
imacat@rinse ~ % kill $(<//tmp/apache/httpd.pid)
imacat@rinse ~ % cat /tmp/apache/error_log
[Wed Aug 06 12:47:35 2008] [notice] Apache/2.3.0-dev (Unix) configured -- resuming normal operations
[Wed Aug 06 12:47:44 2008] [error] [client 127.0.0.1] client denied by server configuration: /tmp/apache/htdocs/privatedetective.txt
[Wed Aug 06 12:47:49 2008] [notice] caught SIGTERM, shutting down
imacat@rinse ~ %

imacat@rinse apache.18.Jul/install % pwd
/space/store/apache.18.Jul/install
imacat@rinse apache.18.Jul/install % echo "Hello" > ./htdocs/apache_test.txt
imacat@rinse apache.18.Jul/install % cat httpd.conf
DocumentRoot /space/store/apache.18.Jul/install/htdocs
LoadModule access_compat_module /tmp/httpd-2.3/modules/aaa/.libs/mod_access_compat.so
Listen 8080
PidFile /space/store/apache.18.Jul/install/httpd.pid
ErrorLog /space/store/apache.18.Jul/install/error_log
<DirectoryMatch ^/space/store/apache.18.Jul/install/htdocs/apache>
    deny from all
</DirectoryMatch>
imacat@rinse apache.18.Jul/install % /tmp/httpd-2.3/httpd -f $PWD/httpd.conf
imacat@rinse apache.18.Jul/install % telnet 0 8080
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
GET /apache_test.txt HTTP/1.0

HTTP/1.1 403 Forbidden
Date: Wed, 06 Aug 2008 04:57:30 GMT
Server: Apache/2.3.0-dev (Unix)
Content-Length: 217
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /apache_test.txt
on this server.</p>
</body></html>
Connection closed by foreign host.
imacat@rinse apache.18.Jul/install % kill $(<httpd.pid)
imacat@rinse apache.18.Jul/install % cat error_log
[Wed Aug 06 12:57:19 2008] [notice] Apache/2.3.0-dev (Unix) configured -- resuming normal operations
[Wed Aug 06 12:57:30 2008] [error] [client 127.0.0.1] client denied by server configuration: /space/store/apache.18.Jul/install/htdocs/apache_test.txt
[Wed Aug 06 12:57:37 2008] [notice] caught SIGTERM, shutting down
imacat@rinse apache.18.Jul/install %
Comment 5 rahul 2008-08-07 06:19:28 UTC
Created attachment 22401 [details]
append trailing slash to directory

Please try this patch and let me know if this does what you expect.
(I was able to reproduce your problem, my earlier configuration was wrong.)
Comment 6 rahul 2008-08-07 06:21:49 UTC
The patch has the effect also that if you need to match 
/privatedirectory/ now, the regex to use will be 
"^/xxxx/private.*" rather than "/xxxx/private"
Comment 7 imacat 2008-08-07 11:44:47 UTC
    Hi.  This is imacat from Taiwan.

(In reply to comment #5)
> Created an attachment (id=22401) [details]
> Please try this patch and let me know if this does what you expect.

    I suppose this patch works for this issue.  Maybe you could apply this patch to the 2.2, 2.0 and 1.3 branches.

    However, the result is still not OK.  It now says "couldn't check user", where I do not know what it means at all.  This seems to be specific to the 2.3 branch, while 2.2 works fine.  I attached the log below.  Should I file a new bug on this?

imacat@rinse ~ % ls -l /tmp/apache/htdocs
total 8
drwxr-xr-x 2 imacat users 4096 Aug  6 12:42 private
-rw-r--r-- 1 imacat users   40 Aug  6 12:34 privatedetective.txt
imacat@rinse ~ % cat /tmp/apache/htdocs/privatedetective.txt
Sherlock Holmes is a private detective.
imacat@rinse ~ % cat /tmp/apache/httpd.conf
DocumentRoot /tmp/apache/htdocs
PidFile /tmp/apache/httpd.pid
Listen 50080
ErrorLog /tmp/apache/error_log
LoadModule access_compat_module /tmp/httpd-2.3-20080807161439/modules/aaa/.libs/mod_access_compat.so

<DirectoryMatch ^/tmp/apache/htdocs/private>
  Deny from all
</DirectoryMatch>
imacat@rinse ~ % ls -l /tmp/httpd-2.3-20080807161439/CHANGES
-rw-r--r-- 1 imacat users 18559 Aug  8 00:14 /tmp/httpd-2.3-20080807161439/CHANGES
imacat@rinse ~ % /tmp/httpd-2.3-20080807161439/httpd -f /tmp/apache/httpd.conf
imacat@rinse ~ % telnet localhost 50080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /privatedetective.txt HTTP/1.1
Host: localhost
Connection: close

HTTP/1.1 500 Internal Server Error
Date: Thu, 07 Aug 2008 18:37:18 GMT
Server: Apache/2.3.0-dev (Unix)
Content-Length: 538
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 [no address given] and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
Connection closed by foreign host.
imacat@rinse ~ % kill $(</tmp/apache/httpd.pid)
imacat@rinse ~ % cat /tmp/apache/error_log
[Fri Aug 08 02:37:14 2008] [notice] Apache/2.3.0-dev (Unix) configured -- resuming normal operations
[Fri Aug 08 02:37:18 2008] [crit] [client 127.0.0.1] configuration error:  couldn't check user: /privatedetective.txt
[Fri Aug 08 02:37:24 2008] [notice] caught SIGTERM, shutting down
imacat@rinse ~ %
Comment 8 rahul 2008-08-08 04:38:16 UTC
That is odd, I couldn't reproduce it, could you please post your httpd.conf in full (and logs with debug on)?
Comment 9 imacat 2008-08-08 18:44:49 UTC
    Hi.  This is imacat from Taiwan.

(In reply to comment #8)
> That is odd, I couldn't reproduce it, could you please post your httpd.conf in
> full (and logs with debug on)?

    I attached the terminal log below, including the httpd.conf, with "LogLevel debug".  Maybe I forgot to load some module or set some configuration?  Please tell me if you need any more information, or if I could be of any help.  Thank you.

imacat@rinse ~ % ls -l /tmp/apache/htdocs
total 8
drwxr-xr-x 2 imacat users 4096 Aug  6 12:42 private
-rw-r--r-- 1 imacat users   40 Aug  6 12:34 privatedetective.txt
imacat@rinse ~ % cat /tmp/apache/htdocs/privatedetective.txt
Sherlock Holmes is a private detective.
imacat@rinse ~ % cat /tmp/apache/httpd.conf
DocumentRoot /tmp/apache/htdocs
PidFile /tmp/apache/httpd.pid
Listen 50080
ErrorLog /tmp/apache/error_log
LogLevel debug
LoadModule access_compat_module /tmp/httpd-2.3-20080807161439/modules/aaa/.libs/mod_access_compat.so

<DirectoryMatch ^/tmp/apache/htdocs/private>
  Deny from all
</DirectoryMatch>
imacat@rinse ~ % ls -l /tmp/httpd-2.3-20080807161439/CHANGES
-rw-r--r-- 1 imacat users 18559 Aug  8 00:14 /tmp/httpd-2.3-20080807161439/CHANGES
imacat@rinse ~ % /tmp/httpd-2.3-20080807161439/httpd -f /tmp/apache/httpd.conf
imacat@rinse ~ % telnet localhost 50080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /privatedetective.txt HTTP/1.1
Host: localhost
Connection: close

HTTP/1.1 500 Internal Server Error
Date: Fri, 08 Aug 2008 18:39:59 GMT
Server: Apache/2.3.0-dev (Unix)
Content-Length: 538
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 [no address given] and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
Connection closed by foreign host.
imacat@rinse ~ % kill $(</tmp/apache/httpd.pid)
imacat@rinse ~ % cat /tmp/apache/error_log
[Sat Aug 09 02:39:54 2008] [notice] Apache/2.3.0-dev (Unix) configured -- resuming normal operations
[Sat Aug 09 02:39:54 2008] [info] Server built: Aug  8 2008 02:14:45
[Sat Aug 09 02:39:54 2008] [debug] prefork.c(960): AcceptMutex: sysvsem (default: sysvsem)
[Sat Aug 09 02:39:59 2008] [crit] [client 127.0.0.1] configuration error:  couldn't check user: /privatedetective.txt
[Sat Aug 09 02:40:02 2008] [info] removed PID file /tmp/apache/httpd.pid (pid=21062)
[Sat Aug 09 02:40:02 2008] [notice] caught SIGTERM, shutting down
imacat@rinse ~ %
Comment 10 rahul 2008-08-09 04:55:10 UTC
It is failing at check userid (ap_run_check_user_id), are you sure that apache process has permissions to access the file?
Comment 11 Eric Covener 2008-08-09 05:40:30 UTC
> [Sat Aug 09 02:39:59 2008] [crit] [client 127.0.0.1] configuration error: 
> couldn't check user: /privatedetective.txt
> [Sat Aug 09 02:40:02 2008] [info] removed PID file /tmp/apache/httpd.pid
> (pid=21062)

Is this just an error from not starting with the default conf from trunk -- mod_authz_host/require all granted 
Comment 12 imacat 2008-08-13 10:08:56 UTC
    Hi.  This is imacat from Taiwan.

(In reply to comment #11)
> > [Sat Aug 09 02:39:59 2008] [crit] [client 127.0.0.1] configuration error: 
> > couldn't check user: /privatedetective.txt
> > [Sat Aug 09 02:40:02 2008] [info] removed PID file /tmp/apache/httpd.pid
> > (pid=21062)
> Is this just an error from not starting with the default conf from trunk --
> mod_authz_host/require all granted 

    Sorry that I took several days to reply.  I really tried hard to get it working, but fails.  Could you please provide a sample httpd.conf that works for httpd 2.3, so that I can test?  Thank you very much for this.
Comment 13 rahul 2008-08-13 11:25:56 UTC
Here is my conf
==========================================================
ServerRoot "/space/store/apache.06.Aug/install"

Listen 8080
LoadModule access_compat_module modules/mod_access_compat.so
User daemon
Group daemon
ServerName agneyam
DocumentRoot "/tmp/apache/htdocs"
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory "/tmp/apache/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    AuthzMergeRules Off
</Directory>

<DirectoryMatch ^/tmp/apache/htdocs/private>
  Deny from all
</DirectoryMatch>
==========================================================
Comment 14 imacat 2008-08-13 20:55:51 UTC
    Hi.  This is imacat from Taiwan.

(In reply to comment #13)
> Here is my conf

    Thank you for your hint.  I got an error "Invalid command 'Require'" with your httpd.conf.  The terminal log is attached below.  I searched Google and found nothing on this.  Could you please tell me what does it mean?  Thank you very much.

imacat@rinse ~ % cat /tmp/apache/httpd.conf
Listen 8080
LoadModule access_compat_module /tmp/apache/lib/mod_access_compat.so
User daemon
Group daemon
ServerName agneyam
DocumentRoot "/tmp/apache/htdocs"
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory "/tmp/apache/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    AuthzMergeRules Off
</Directory>

<DirectoryMatch ^/tmp/apache/htdocs/private>
  Deny from all
</DirectoryMatch>
imacat@rinse ~ % /tmp/httpd-2.3-20080813101457/httpd -f /tmp/apache/httpd.conf
Syntax error on line 10 of /tmp/apache/httpd.conf:
Invalid command 'Require', perhaps misspelled or defined by a module not included in the server configuration
imacat@rinse ~ %
Comment 15 rahul 2008-08-14 02:20:34 UTC
It is provided by authz_core, I guess it may have been statically linked
in my httpd.
http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#require
Comment 16 imacat 2008-08-14 09:12:16 UTC
    Hi.  This is imacat from Taiwan.

    I made several tests tonight.  This is the least httpd.conf to work.  As a result, I think this bug can be closed if the patch#22401 is applied in 2.0, 2.2 and 2.3 branches.

    Please tell me if you need any more information, of if I could be of any help.  Thank you.

imacat@rinse ~ % ls -l /tmp/apache/htdocs
total 8
drwxr-xr-x 2 imacat users 4096 Aug  6 12:42 private
-rw-r--r-- 1 imacat users   40 Aug  6 12:34 privatedetective.txt
imacat@rinse ~ % cat /tmp/apache/htdocs/privatedetective.txt
Sherlock Holmes is a private detective.
imacat@rinse ~ % cat /tmp/apache/httpd.conf
User imacat
Group nogroup
DocumentRoot /tmp/apache/htdocs
PidFile /tmp/apache/httpd.pid
Listen 50080
ErrorLog /tmp/apache/error_log
LogLevel debug
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule access_compat_module modules/mod_access_compat.so

<DirectoryMatch ^/tmp/apache/htdocs/private>
  Deny from all
</DirectoryMatch>
imacat@rinse ~ % /tmp/apache-2.3-20080814101449/bin/httpd -l
Compiled in modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c
imacat@rinse ~ % /tmp/apache-2.3-20080814101449/bin/httpd -f /tmp/apache/httpd.conf
imacat@rinse ~ % telnet localhost 50080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /privatedetective.txt HTTP/1.1
Host: localhost
Connection: close

HTTP/1.1 200 OK
Date: Thu, 14 Aug 2008 16:11:26 GMT
Server: Apache/2.3.0-dev (Unix)
Last-Modified: Wed, 06 Aug 2008 04:34:10 GMT
ETag: "238f6a-28-453c3156c7480"
Accept-Ranges: bytes
Content-Length: 40
Connection: close
Content-Type: text/plain

Sherlock Holmes is a private detective.
Connection closed by foreign host.
imacat@rinse ~ % kill $(</tmp/apache/httpd.pid)
imacat@rinse ~ % cat /tmp/apache/error_log
[Fri Aug 15 00:11:22 2008] [notice] Apache/2.3.0-dev (Unix) configured -- resuming normal operations
[Fri Aug 15 00:11:22 2008] [info] Server built: Aug 14 2008 23:47:15
[Fri Aug 15 00:11:22 2008] [debug] prefork.c(960): AcceptMutex: sysvsem (default: sysvsem)
imacat@rinse ~ %
Comment 17 jkaluza 2014-10-29 09:13:11 UTC
Created attachment 32161 [details]
another approach

Attached patch fixes the issue byt marking core_dir_config entries created by Directory/DirectoryMatch directives. In ap_directory_walk, the last core_dir_config entry is checked and if we are going to serve regular file, but the entry is created using Directory/DirectoryMatch, it is skipped.
Comment 18 jkaluza 2014-10-29 09:14:31 UTC
The benefit of my patch is that it keeps the backward compatibility with previous DirectoryMatch (So it does not suffer the problem mentioned in Comment 6).
Comment 19 jkaluza 2014-10-29 11:08:54 UTC
Created attachment 32163 [details]
another approach v2
Comment 20 jkaluza 2014-10-30 08:35:04 UTC
Committed in trunk in r1635428.
Comment 21 William A. Rowe Jr. 2015-01-22 00:03:20 UTC
Thanks again imacat for the report.  Your observations absolutely have merit and need to be addressed.  I've reverted the patch with the following notes, reproducing here for completeness...

Revert r4635428 corresponding to PR41867.

The code reverted attempted to restrict comparisons of the r->filename
to given DirectoryMatch blocks.

r->filename was already a non-directory entity at this point, because we
have already fallen out of the } while (thisinfo.filetype == APR_DIR);
block above.

The addition of r->d_is_directory was redundant.  That is what is always
returned by ap_get_core_module_config(r->per_dir_config).

Note modifying dir_config required an MMN major bump as this commit could
have realigned the offset of refs (had it been added to the end, this
would correspond to an mmn minor bump) and other fields packed into the
same bytes (this is undefined). Bump on revert to prevent unexpected crashes.
Comment 22 William A. Rowe Jr. 2015-01-22 00:11:03 UTC
Hopefully, this will help somewhat, clearing the resolved bit.

The appropriate patch will track the length of all directory-related path segments for later comparison.  This snippet below is just a part of accomplishing this task; 

--- request.c   (revision 1653666)
+++ request.c   (working copy)
@@ -566,6 +566,8 @@
     walk_cache_t *cache;
     char *entry_dir;
     apr_status_t rv;
+    apr_size_t dir_len;
+    char save_ch;
     int cached;

     /* XXX: Better (faster) tests needed!!!
@@ -1169,6 +1170,9 @@
                 return r->status = HTTP_FORBIDDEN;
             }

+            /* directory-path string length here for DirectoryMatch */
+            dir_len = strlen(r->filename);
+
             ++seg;
         } while (thisinfo.filetype == APR_DIR);


the optimizations earlier in the code would cause dir_len to remain unset on subrequests, owing to the fact that we don't 'parse twice' any identical path elements.  I just haven't had time to evaluate each of the 'continue'/'break' cases in the intervening code.

Provided that the accumulated dir_len is correct, and that we ensure r->filename, at this stage of the game, is allocated one byte longer than the given string, then we can play this quick trick to always compare the path -including- any provided trailing slash against the directorymatch regular expression strings;

@@ -1191,10 +1195,17 @@
             }
         }

-        /*
-         * Now we'll deal with the regexes, note we pick up sec_idx
-         * where we left off (we gave up after we hit entry_core->r)
+        /* Now we'll deal with the DirectoryMatch regex's
+         *
+         * First, shorten r->filename to dir_len, plus the trailing
+         * slash when present
          */
+        save_ch = r->filename[dir_len + 1];
+        r->filename[dir_len + 1] = '\0';
+
+        /* Note we pick up sec_idx where we left off
+         * (we gave up above once we hit entry_core->r)
+         */
         for (; sec_idx < num_sec; ++sec_idx) {

             int nmatch = 0;
@@ -1216,6 +1227,8 @@
                 pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
             }

+            /* r->filename here has been truncated to the directory path
+             * component -including- trailing slash
             if (ap_regexec(entry_core->r, r->filename, nmatch, pmatch, 0)) {
                 continue;
             }
@@ -1268,6 +1281,8 @@
             last_walk->matched = sec_ent[sec_idx];
             last_walk->merged = now_merged;
         }
+        /* Restore filename  now that we have processed DirectoryMatch'es */
+        r->filename[dir_len + 1] = save_ch;

         if (rxpool) {
             apr_pool_destroy(rxpool);


I'll come back to this and invite everyone to beat me to completing this patch, and preventing the case described in #1 above.
Comment 23 Rainer Jung 2018-02-25 19:40:06 UTC
Undo spam change
Comment 24 William A. Rowe Jr. 2018-11-07 21:09:19 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.