Summary: | CGI works, but client denied error messages in error.log | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Georg Sauthoff <bz-apache-org> |
Component: | Core | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | NEW --- | ||
Severity: | normal | CC: | jerrocks, Martin.vGagern |
Priority: | P2 | ||
Version: | 2.5-HEAD | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux |
Description
Georg Sauthoff
2007-10-20 12:57:12 UTC
I see this issue on Windows 2003, Windows 2008 and Mac 10.5.6 running Apache 2.2. Looks like this is alive on Red Hat Enterprise Linux Server release 5.5 with httpd-2.2.3-43.el5 I also see this problem in SLES11 SP2 (Apache 2.2.12): I wrote a Perl CGI script that uses path info heavily to select the function to dispatch (virtually encoding the function to perform in the URI). In combination with ScriptAlias I call functions like http://vserver.domain.org/topic/session/function/transaction/step where http://vserver.domain.org/topic is a ScriptAlias to /srv/www/cgi-bin/freaky.pl So freaky.pl processes parameters like "/session/function/transaction/step". I verified (in the browser) that freaky.pl creates hyperlinks like http://vserver.domain.org/topic/session/function2/transaction2/step2, and those hyperlinks _work_ (i.e. the function is performed with the proper URI). Unfortunately at the same time Apache logs an _error_ like this: client denied by server configuration: /srv/www/vserver/session, referrer http://vserver.domain.org/topic/session/function/transaction/step So I guess Apache gets somewhat confused. I'd like to see this problem fixed, or at least to be presented a work-around. The issue is caused by server/util_script.c::ap_add_cgi_vars(). At the end, it needs to define the variable "PATH_TRANSLATED", as required by https://www.rfc-editor.org/rfc/rfc3875#section-4.1.6 - by tacking on the cgi subpath to DocumentRoot, even though the result is a nonsensical path that doesn't exist. To achieve this, it calls server/request.c::ap_sub_req_lookup_uri(), lets it do its thing, and just picks up the computed 'filename' from the result. The fact that this call is actually trying to access the fake path, and is tripping security checks as it does so, makes me suspect it is not the most appropriate tool for the job. Reproduces on a default httpd install on ubuntu, freebsd, windows. Reproduces with mod_cgi and mod_wsgi. Requires only minimal edits: 1. edit httpd.conf - comment out 'Require all granted' from default DocumentRoot directory. 2. edit httpd.conf - append "ScriptAlias /test /tmp/test.cgi" "<Location /test>Require all granted</Location>". 3. wget http://localhost/test/whatever 4. [authz_core:error] [pid 1861] [client 127.0.0.1:20266] AH01630: client denied by server configuration: /usr/local/www/apache24/test/whatever The call stack looks like this for httpd 2.4.57: 1. ap_log_rerror_(file="mod_authz_core.c", int line=879, module_index=6, level=3, status=0, r=0x00bc2f00, fmt="AH01630...", ...) in server/log.c(1366) 2. authorize_user_core(r=0x00bc2f00, int after_authn=0) in modules/aaa/mod_authz_core.c(879) 3. authorize_userless(r=0x00bc2f00) in modules/aaa/mod_authz_core.c(916) 4. ap_run_access_checker_ex(r=0x00bc2f00) in server/request.c(92) 5. ap_process_request_internal(r=0x00bc2f00) in server/request.c(339) 6. ap_sub_req_method_uri(method="GET", new_uri="/test", r=0x00bbeaf0, next_filter=NULL) in server/request.c(2289) 7. ap_sub_req_lookup_uri(new_uri="/test", r=0x00bbeaf0, next_filter=NULL) in server/request.c(2301) 8. ap_add_cgi_vars(r=0x00bbeaf0) in server/util_script.c(432) 9. cgi_handler(r=0x00bbeaf0) in modules/generators/mod_cgi.c(805) |