Ticket #1246 (closed defect: wontfix)

Opened 15 months ago

Last modified 3 days ago

mod_access not restricting FastCGI processes

Reported by: ircmaxell@… Owned by: jan
Priority: high Milestone: 1.5.0
Component: mod_access Version: 1.4.16
Severity: critical Keywords: 403, url.access-deny
Cc: Blocked By:
Need User Feedback: Blocking:

Description

when url.access-deny = (""), FastCGI processes are still allowed to be accessed. It blocks all static files, but has no effect on php files. This is with Lighttpd version 1.4.15, and the following loaded modules.

indexfile rewrite alias access auth status fastcgi proxy simple_vhost evhost userdir cgi rrd accesslog magnet dirlisting staticfile

Attachments

Change History

Changed 15 months ago by jan

  • pending set

Please add the output of 

debug.log-request-handling = "enable"

Changed 15 months ago by ircmaxell

Alright, I'm not able to reproduce the error anymore. What was happening was something like this $HTTPhost? == "host1.com" { $HTTPurl? =~ "/admin" { urn.access-deny = ("") } }

Then I went into www.host2.com/administrator/index.php... The php file processed fine, but none of the images appeared (they all got 403 errors). If I can get the error to reproduce, I'll post the debug trace.

Changed 13 months ago by trac-robot

  • status changed from new to closed
  • pending unset

This ticket was closed automatically by the system. It was previously set to a Pending status and hasn't been updated within 28 days.

Changed 10 months ago by anonymous

  • status changed from closed to reopened
  • severity changed from normal to critical
  • cc yvan.taviaud@… added
  • priority changed from normal to high
  • version changed from 1.4.15 to 1.4.16
  • keywords 403, url.access-deny added
  • pending set

Same problem here with Lighttpd 1.4.16 (Backport for Debian Etch)

When using: 

url.access-deny = ( "" )

Lighty returns a correct 403 error.

But when using: 

url.access-deny = ( ".jpg" )

then Lighty returns a 403 header AND the content of the jpg file.

Configuration: 

server.error-handler-404  = "/notFound.php"
server.document-root = "/****/static/*site*/"
$HTTP["url"] =~ "^/t/" {
	magnet.attract-physical-path-to = ( "/****/thumb.lua" )
}
expire.url = ( "/t/" => "access 7 days", "/m/" => "access 7 days", "" => "access 1 days" )
$HTTP["referer"] !~ "*site*" {
	url.access-deny = ( ".jpg" )
}

Debug when using ".jpg": 

2007-11-09 10:58:09: (response.c.205) -- splitting Request-URI
2007-11-09 10:58:09: (response.c.206) Request-URI  :  /t/0/1/1-150.jpg
2007-11-09 10:58:09: (response.c.207) URI-scheme   :  http
2007-11-09 10:58:09: (response.c.208) URI-authority:  localcdn.*site*.com
2007-11-09 10:58:09: (response.c.209) URI-path     :  /t/0/1/1-150.jpg
2007-11-09 10:58:09: (response.c.210) URI-query    :
2007-11-09 10:58:09: (response.c.260) -- sanatising URI
2007-11-09 10:58:09: (response.c.261) URI-path     :  /t/0/1/1-150.jpg
2007-11-09 10:58:09: (mod_access.c.135) -- mod_access_uri_handler called
2007-11-09 10:58:09: (mod_access.c.164) url denied as we match: .jpg
2007-11-09 10:58:09: (response.c.205) -- splitting Request-URI
2007-11-09 10:58:09: (response.c.206) Request-URI  :  /notFound.php
2007-11-09 10:58:09: (response.c.207) URI-scheme   :  http
2007-11-09 10:58:09: (response.c.208) URI-authority:  localcdn.*site*.com
2007-11-09 10:58:09: (response.c.209) URI-path     :  /notFound.php
2007-11-09 10:58:09: (response.c.210) URI-query    :
2007-11-09 10:58:09: (response.c.260) -- sanatising URI
2007-11-09 10:58:09: (response.c.261) URI-path     :  /notFound.php
2007-11-09 10:58:09: (mod_access.c.135) -- mod_access_uri_handler called
2007-11-09 10:58:09: (response.c.375) -- before doc_root
2007-11-09 10:58:09: (response.c.376) Doc-Root     : /*wwwpath*/static/*site*/
2007-11-09 10:58:09: (response.c.377) Rel-Path     : /notFound.php
2007-11-09 10:58:09: (response.c.378) Path         :
2007-11-09 10:58:09: (response.c.426) -- after doc_root
2007-11-09 10:58:09: (response.c.427) Doc-Root     : /*wwwpath*/static/*site*/
2007-11-09 10:58:09: (response.c.428) Rel-Path     : /notFound.php
2007-11-09 10:58:09: (response.c.429) Path         : /*wwwpath*/static/*site*/notFound.php
2007-11-09 10:58:09: (response.c.446) -- logical -> physical
2007-11-09 10:58:09: (response.c.447) Doc-Root     : /*wwwpath*/static/*site*/
2007-11-09 10:58:09: (response.c.448) Rel-Path     : getThumbnail.php
2007-11-09 10:58:09: (response.c.449) Path         : /*wwwpath*/scripts/getThumbnail.php
2007-11-09 10:58:09: (response.c.466) -- handling physical path
2007-11-09 10:58:09: (response.c.467) Path         : /*wwwpath*/scripts/getThumbnail.php
2007-11-09 10:58:09: (response.c.474) -- file found
2007-11-09 10:58:09: (response.c.475) Path         : /*wwwpath*/scripts/getThumbnail.php
2007-11-09 10:58:09: (response.c.613) -- handling subrequest
2007-11-09 10:58:09: (response.c.614) Path         : /*wwwpath*/scripts/getThumbnail.php
2007-11-09 10:58:09: (mod_access.c.135) -- mod_access_uri_handler called
2007-11-09 10:58:09: (mod_fastcgi.c.3589) handling it in mod_fastcgi

Thanks for this wonderful soft :-)

Changed 10 months ago by yvan.taviaud@…

  • cc yvan.taviaud@… removed

Sorry for the CC.

Also, I think: isn't it the 404 handler that tries to handle the 403 error?

Changed 10 days ago by stbuehler

  • status changed from reopened to closed
  • resolution set to wontfix

I don't know why it isn't documented, but the 404 handler also handles 403; this is clearly wanted in the source. So, this is not unexpected. Won't fix/change in 1.4.

Changed 3 days ago by stbuehler

  • pending unset

Add/Change #1246 (mod_access not restricting FastCGI processes)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
 
Note: See TracTickets for help on using tickets.