Issue18

Title PATH_INFO is not ignored, as generally done by Apache for static files
Priority bug Status resolved
Superseder Nosy List poeml
Assigned To poeml Keywords

Created on 2009-10-26.22:10:19 by poeml, last changed by poeml.

Messages
msg222 (view) Author: poeml Date: 2010-09-06.00:01:52
I haven't received feedback about the effectivness of the bug yet; but I'm closing 
this issue as resolved nevertheless. Please reopen if necessary.
msg186 (view) Author: poeml Date: 2010-04-23.03:31:01
http://svn.mirrorbrain.org/viewvc/mirrorbrain?view=revision&revision=8043
msg185 (view) Author: poeml Date: 2010-04-23.03:27:46
I committed a fix to the trunk. It'll appear in the next release, which I'll hopefully complete during 
the next weeks.

With the following patch, requests with PATH_INFO correctly lead to 404s, unless the server is 
configured explicitely to allow PATH_INFO. This follows the best practice that modules should respect 
the default.

mod_mirrorbrain now no longer (falsely) behaves like mod_cgi*.



--- mod_mirrorbrain.c   (revision 8042)
+++ mod_mirrorbrain.c   (working copy)
@@ -1092,6 +1092,12 @@
         return DECLINED;
     }
 
+    /* is there PATH_INFO, and are we supposed to accept it? */
+    if ((r->path_info && *r->path_info)
+            && (r->used_path_info != AP_REQ_ACCEPT_PATH_INFO)) {
+        debugLog(r, cfg, "ignoring request with PATH_INFO");
+        return DECLINED;
+    }
 
     debugLog(r, cfg, "URI: '%s'", r->unparsed_uri);
     debugLog(r, cfg, "filename: '%s'", r->filename);
msg43 (view) Author: poeml Date: 2009-10-26.22:10:18
Here's a report from the openSUSE bugzilla:
https://bugzilla.novell.com/show_bug.cgi?id=546396


Description From Matt Barringer 2009-10-13 02:31:27 MDT (-) [reply]

A URL like
http://download.opensuse.org/repositories/FATE:/keeper/openSUSE_11.1/noarch/sxkeeper-suse-1.4.0-
4.1.noarch.rpm/not/really/an/rpm/url
returns the RPM rather than returning a 404 error.  This causes some bad
problems for SUSE Studio when users add build service repositories by URL.

------ Comment #2 From Matt Barringer 2009-10-26 12:19:19 MDT (-) [reply] -------
Is there a reason to not treat the RPM URLs as files, rather than as a CGI
script?  I don't really understand why PATH_INFO would be useful here.

------- Comment #3 From Peter Poeml 2009-10-26 15:12:27 MDT (-) [reply] -------
The behaviour is indeed different than when you would request a static file
from Apache.


The debug log (where r is the request context that Apache gives my module)

    debugLog(r, cfg, "URI: '%s'", r->unparsed_uri);
    debugLog(r, cfg, "filename: '%s'", r->filename);

logs the following for a request on .../foo/bar:

[Mon Oct 26 21:49:14 2009] [warn] [client 10.10.3.98] [mod_mirrorbrain] URI:
'/zrkadlo/repositories/Apache/openSUSE_11.0/i586/apache2-devel-2.2.12-1.1.i586.rpm/foo/bar'
[Mon Oct 26 21:49:14 2009] [warn] [client 10.10.3.98] [mod_mirrorbrain]
filename:
'/srv/www/htdocs/zrkadlo/repositories/Apache/openSUSE_11.0/i586/apache2-devel-2.2.12-1.1.i586.rpm'



The documentation
(http://httpd.apache.org/docs/2.2/mod/core.html#acceptpathinfo) enlightens us:

``The core handler for normal files defaults to rejecting PATH_INFO requests.
Handlers that serve scripts, such as cgi-script and isapi-handler, generally
accept PATH_INFO by default.``

mod_mirrorbrain is not a script, but it runs a handler similar to a script.

If it makes sense, the behaviour could be changed. What is the motivation? What
kind of funny requests are causing the problem?

(For the record, AcceptPathInfo Off in the context of the MirrorBrain config
has the desired effect as well)
History
Date User Action Args
2010-09-06 00:01:52poemlsetstatus: testing -> resolved
messages: + msg222
2010-04-23 03:31:01poemlsetmessages: + msg186
2010-04-23 03:27:46poemlsetstatus: in-progress -> testing
messages: + msg185
2010-02-10 04:43:26poemlsetstatus: unread -> in-progress
2009-10-26 22:10:19poemlcreate