| Author |
|
jakelake
Joined: 14 Apr 2009
Posts: 3
|
 Posted: Tue 14 Apr '09 23:51 Post subject: Apache Not throwing error... |
 |
|
Not sure why this is working:
http://localhost/test.html/anyText
The page is located at http://localhost/test.html - the following /anyText allows the page to load, although ruins the CSS because the path is now wrong. Anyway that I can make this error instead of work how it is now?
Thanks,
/Jake |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
|
| Posted: Wed 15 Apr '09 16:57 Post subject: |
|
|
One thing to prevent that is that you set the urls in your links on the webpage. Why should anyone add that to your url?
Second thought: Use absolute pathes!
Like:
background-image: url(design_images/head.jpg);
becomes
background-image: url(/design_images/head.jpg);
Also use absolute paths for other items (images, etc...) |
|
| Back to top |
|
jakelake
Joined: 14 Apr 2009
Posts: 3
|
| Posted: Wed 15 Apr '09 18:24 Post subject: |
|
|
| People would add that in an attempt to get an error back from the Apache server to learn more about the system that are trying to hack it. The project I'm working on is security focused and can't allow this. Anyone know how to make it throw an error? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 15 Apr '09 20:51 Post subject: |
|
|
A 401, 403, 404 & 500 ought to be easy.
401: Using Authentication and giving it none by clicking cancel on the UN/PW dialog.
403: "deny from all" your document root
404: call a file not on the server
500: I only know one good, easy way to get a 500, a bunk perl script.
| Code: | # filename bunk.cgi
# Should throw a 500
print "Hello Peoples";
exit; |
two things should throw an error with the above, one is
(22)Invalid argument: couldn't spawn child process: (there is no shebang so can't find perl)
the other is because we are printing w/o content-type. This will not actually give much of an error description other than "malformed header from script" but only after the fixing the above (shebang is added) will you get this one.
400: Bad Request
This I think one can get by feeding it a really HUGE URI
http://localhost/(x*1024)/index.html
I may be wrong on this one but sounds familiar. |
|
| Back to top |
|
jakelake
Joined: 14 Apr 2009
Posts: 3
|
| Posted: Wed 15 Apr '09 21:54 Post subject: |
|
|
Not sure that I'm following here...
Let me explain again maybe more clearly this time.
Say I have page: www.mysite.com/stuff.html
And the user changes the page URL to: www.mysite.com/stuff.html/more
Not sure why this would occur, but I need to have 100% coverage. In that event, I would like Apache to toss an error. Instead, Apache is loading the page fine except no CSS because of the /more it thinks its directory has changed and my relative path no longer works.
Thanks. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Thu 16 Apr '09 19:52 Post subject: |
|
|
yeah, but technically that IS a valid URI and Apache is not going to error on a valid URI but that should be a 404 since /more does not exist.
Just like it does on Apache 1.3.x
Not Found
The requested URL /index.html/more was not found on this server.
IMHO this is a bug!
I know, I sorta of flip-flopped in the first sentence. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
|
| Posted: Thu 16 Apr '09 21:52 Post subject: |
|
|
That is not a bug, I like that feature when there is no rewriting possilbe 
But you are right, there should be a 404. Great if there would be a a switch to turn that on or off.
----
Edit: found it! --> Multiviews
http://httpd.apache.org/docs/2.2/content-negotiation.html
| Quote: |
The effect of MultiViews is as follows: if the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.
|
Hope with my poor english that it that feature / bug ^^ |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 17 Apr '09 1:22 Post subject: |
|
|
I do not think so .. that's for things like index.html[dot]de
not index.html[slash]anything.
MultiViews was on when I tested on 1.3.41
The slash should push it into the next directory ... like
/path/to/DocRoot/index.html/subsubdir and subsubdir does not exist.
get out the fly swatter |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
|
| Posted: Fri 17 Apr '09 9:52 Post subject: |
|
|
For the flies in my mind 
But to get serious: Who could know about that phenomenon? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 17 Apr '09 17:06 Post subject: |
|
|
| James Blond wrote: | | But to get serious: Who could know about that phenomenon? |
Jake found it!
I doubt kiddies scripts will tho we may start seeing it now.
I'm pondering what/if any implications this may have security wise. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
|
| Posted: Fri 17 Apr '09 21:10 Post subject: |
|
|
That is not what I meant. Maybe the german inside me can't tell it
I wanna know that is different inside the source code and why it was decided to implement that feature / bug. |
|
| Back to top |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 614
Location: Milford, MA, USA
|
| Posted: Sat 18 Apr '09 0:19 Post subject: |
|
|
Yes, it is perfectly legal to have that extra /anyText after the filename part of the URI.
That extra /anyText part of the http://localhost/test.html/anyText URL is called PATH_INFO.
It should be rejected by default when Apache is serving static files.
If you have a filter or a cgi handler, it is accepted by default.
Take a look at the AcceptPathInfo Directive for more options about allowing or disallowing this.
-tom- |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Sat 18 Apr '09 0:59 Post subject: |
|
|
*laughing* cause of the /more example
Guess it's time for me to read the entire docs ... again ... like the 5th time now
| Quote: | The three possible arguments for the AcceptPathInfo directive are:
Off
A request will only be accepted if it maps to a literal path that exists. Therefore a request with trailing pathname information after the true filename such as /test/here.html/more in the above example will return a 404 NOT FOUND error. |
Tom, I knew you'de know .. but wasn't going to ask. Thanks for clearing this up.
-edit-
Ran into a perfect example of this in use last night .... Blosxom |
|
| Back to top |
|
