Bug 62698

Summary: Preventing mod_autoindex listing of directory (error 403)
Product: Apache httpd-2 Reporter: Joergen Thomsen <apache>
Component: mod_authz_coreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal CC: marherfran
Priority: P2    
Version: 2.4.34   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Joergen Thomsen 2018-09-07 22:50:54 UTC
mod_authz will prevent mod_autoindex from generating a listing of a directory without an index file in certain cases.

For security reasons (illegally uploaded files) a generation of the following is performed for all directories:

<Directory "/var/www/html/dom.tld/sub">
Require all granted
<FilesMatch "\.(php.*|pl|pm|cgi|shtml|phtml|sh)$" >
Require all denied
<Files "address.php">
Require all granted

In httpd.conf for the vhosts:

DirectoryIndex index.var index.htm index.cgi index.php

Options IncludesNOEXEC FollowSymlinks ExecCGI Multiviews

<Directory "/var/www/html/don.tld/sub">
Options +Indexes
Require all granted

mod_authz will assume a Require all denied when testing for e.g. index.php, which is not present in the directory, but disallowed by the generated rule.
A 403 error will be returned instead of turning over the action to mod_autoindex.

There should be no consequences for testing a 'denied' rule against a non-existant file.

[Fri Sep 07 22:23:29.769962 2018] [authz_core:error] [pid 25764:tid 140612263212800] AH01630: client denied by server configuration: /var/www/html/dom.tld/sub/index.php
[Fri Sep 07 22:23:29.769964 2018] [core:trace3] [pid 25764:tid 140612263212800] request.c(119): auth phase 'check access' gave status 403: /utils/index.php