Hi, I have a working Apache 2 setup and Apache calls successfully the cgi-scripts. The problem is, that for every successfull CGI-call I get a 'client denied by server configuration' error message into the error.log file. This message conflicts with the fact, that the CGI-call was executed successfully and I saw the correct output in the Web browser. I am basically using a '/ Deny all' policy and a ScriptAlias definition. A minimal working example which reproduces the error follows at the end of the report. Analysis: I debugged this issue a bit and it: - check_dir_access() is called two times for every cgi request - the 2nd check_dir_access() call actually prints the 'client denied' error message => the cause is server/util_script.c:ap_add_cgi_vars() - to construct PATH_TRANSLATED ap_sub_req_lookup_uri() is called and as a result a few frames later check_dir_access() is called Conclusion: Well, the problems with this wrong error messages are: 1. it makes no sense, because the cgi-script don't use apaches access control mechanism 2. such wrong messages hide real error messages Minimal working example: NameVirtualHost * <VirtualHost *> DocumentRoot /var/www/ <Directory /> Options -FollowSymLinks -Indexes -Includes -ExecCgi AllowOverride None Order Deny,Allow Deny from all </Directory> ScriptAlias /project /var/www/project/cgi-bin/test.cgi <Directory /var/www/project/cgi-bin> SetHandler cgi-script Options +ExecCGI Order Deny,Allow Allow from all </Directory> </VirtualHost> # cat test.cgi #!/bin/sh cat out.min # cat out.min Content-Type: text/html; charset=utf-8 Status: 200 OK <HTML> <HEAD></HEAD><BODY><H1>HELLO WORLD!</H1></BODY></HTML> # curl http://127.0.0.1/project/bar <HTML> <HEAD></HEAD><BODY><H1>HELLO WORLD!</H1></BODY></HTML> Error message in error.log: [error] [client 127.0.0.1] client denied by server configuration: /var/www/bar Before the debugging the problem with gdb I discussed it two months ago at the apache user mailing list: http://thread.gmane.org/gmane.comp.apache.user/70767/focus=70804 (at that time nobody could identify the cause for this wrong error messages) Best regards Georg Sauthoff
I see this issue on Windows 2003, Windows 2008 and Mac 10.5.6 running Apache 2.2.
Looks like this is alive on Red Hat Enterprise Linux Server release 5.5 with httpd-2.2.3-43.el5
I also see this problem in SLES11 SP2 (Apache 2.2.12): I wrote a Perl CGI script that uses path info heavily to select the function to dispatch (virtually encoding the function to perform in the URI). In combination with ScriptAlias I call functions like http://vserver.domain.org/topic/session/function/transaction/step where http://vserver.domain.org/topic is a ScriptAlias to /srv/www/cgi-bin/freaky.pl So freaky.pl processes parameters like "/session/function/transaction/step". I verified (in the browser) that freaky.pl creates hyperlinks like http://vserver.domain.org/topic/session/function2/transaction2/step2, and those hyperlinks _work_ (i.e. the function is performed with the proper URI). Unfortunately at the same time Apache logs an _error_ like this: client denied by server configuration: /srv/www/vserver/session, referrer http://vserver.domain.org/topic/session/function/transaction/step So I guess Apache gets somewhat confused. I'd like to see this problem fixed, or at least to be presented a work-around.
The issue is caused by server/util_script.c::ap_add_cgi_vars(). At the end, it needs to define the variable "PATH_TRANSLATED", as required by https://www.rfc-editor.org/rfc/rfc3875#section-4.1.6 - by tacking on the cgi subpath to DocumentRoot, even though the result is a nonsensical path that doesn't exist. To achieve this, it calls server/request.c::ap_sub_req_lookup_uri(), lets it do its thing, and just picks up the computed 'filename' from the result. The fact that this call is actually trying to access the fake path, and is tripping security checks as it does so, makes me suspect it is not the most appropriate tool for the job. Reproduces on a default httpd install on ubuntu, freebsd, windows. Reproduces with mod_cgi and mod_wsgi. Requires only minimal edits: 1. edit httpd.conf - comment out 'Require all granted' from default DocumentRoot directory. 2. edit httpd.conf - append "ScriptAlias /test /tmp/test.cgi" "<Location /test>Require all granted</Location>". 3. wget http://localhost/test/whatever 4. [authz_core:error] [pid 1861] [client 127.0.0.1:20266] AH01630: client denied by server configuration: /usr/local/www/apache24/test/whatever The call stack looks like this for httpd 2.4.57: 1. ap_log_rerror_(file="mod_authz_core.c", int line=879, module_index=6, level=3, status=0, r=0x00bc2f00, fmt="AH01630...", ...) in server/log.c(1366) 2. authorize_user_core(r=0x00bc2f00, int after_authn=0) in modules/aaa/mod_authz_core.c(879) 3. authorize_userless(r=0x00bc2f00) in modules/aaa/mod_authz_core.c(916) 4. ap_run_access_checker_ex(r=0x00bc2f00) in server/request.c(92) 5. ap_process_request_internal(r=0x00bc2f00) in server/request.c(339) 6. ap_sub_req_method_uri(method="GET", new_uri="/test", r=0x00bbeaf0, next_filter=NULL) in server/request.c(2289) 7. ap_sub_req_lookup_uri(new_uri="/test", r=0x00bbeaf0, next_filter=NULL) in server/request.c(2301) 8. ap_add_cgi_vars(r=0x00bbeaf0) in server/util_script.c(432) 9. cgi_handler(r=0x00bbeaf0) in modules/generators/mod_cgi.c(805)