Bug 62698 - Preventing mod_autoindex listing of directory (error 403)
Summary: Preventing mod_autoindex listing of directory (error 403)
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authz_core (show other bugs)
Version: 2.4.34
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-07 22:50 UTC by Joergen Thomsen
Modified: 2019-05-06 22:51 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Joergen Thomsen 2018-09-07 22:50:54 UTC
mod_authz will prevent mod_autoindex from generating a listing of a directory without an index file in certain cases.

For security reasons (illegally uploaded files) a generation of the following is performed for all directories:

<Directory "/var/www/html/dom.tld/sub">
Require all granted
<FilesMatch "\.(php.*|pl|pm|cgi|shtml|phtml|sh)$" >
Require all denied
</FilesMatch>
<Files "address.php">
Require all granted
</Files>
</Directory>


In httpd.conf for the vhosts:

DirectoryIndex index.var index.htm index.cgi index.php

Options IncludesNOEXEC FollowSymlinks ExecCGI Multiviews

<Directory "/var/www/html/don.tld/sub">
Options +Indexes
Require all granted
</Directory>

mod_authz will assume a Require all denied when testing for e.g. index.php, which is not present in the directory, but disallowed by the generated rule.
A 403 error will be returned instead of turning over the action to mod_autoindex.

There should be no consequences for testing a 'denied' rule against a non-existant file.

[Fri Sep 07 22:23:29.769962 2018] [authz_core:error] [pid 25764:tid 140612263212800] AH01630: client denied by server configuration: /var/www/html/dom.tld/sub/index.php
[Fri Sep 07 22:23:29.769964 2018] [core:trace3] [pid 25764:tid 140612263212800] request.c(119): auth phase 'check access' gave status 403: /utils/index.php