Project

General

Profile

Actions

Bug #1246

closed

mod_access not restricting FastCGI processes

Added by Anonymous almost 17 years ago. Updated over 15 years ago.

Status:
Wontfix
Priority:
High
Category:
mod_access
Target version:
ASK QUESTIONS IN Forums:

Description

when url.access-deny = (""), FastCGI processes are still allowed to be accessed. It blocks all static files, but has no effect on php files. This is with Lighttpd version 1.4.15, and the following loaded modules.

indexfile
rewrite
alias
access
auth
status
fastcgi
proxy
simple_vhost
evhost
userdir
cgi
rrd
accesslog
magnet
dirlisting
staticfile

-- ircmaxell

Actions #1

Updated by jan almost 17 years ago

Please add the output of


debug.log-request-handling = "enable" 
Actions #2

Updated by ircmaxell almost 17 years ago

Alright, I'm not able to reproduce the error anymore. What was happening was something like this
$HTTPhost == "host1.com" {
$HTTPurl =~ "/admin" {
urn.access-deny = ("")
}
}

Then I went into www.host2.com/administrator/index.php... The php file processed fine, but none of the images appeared (they all got 403 errors). If I can get the error to reproduce, I'll post the debug trace.

Actions #3

Updated by Anonymous over 16 years ago

  • Status changed from New to Fixed

This ticket was closed automatically by the system. It was previously set to a Pending status and hasn't been updated within 28 days.

-- trac-robot

Actions #4

Updated by Anonymous over 16 years ago

  • Status changed from Fixed to Need Feedback

Same problem here with Lighttpd 1.4.16 (Backport for Debian Etch)

When using:


url.access-deny = ( "" )

Lighty returns a correct 403 error.

But when using:


url.access-deny = ( ".jpg" )

then Lighty returns a 403 header AND the content of the jpg file.

Configuration:


server.error-handler-404  = "/notFound.php" 
server.document-root = "/****/static/*site*/" 
$HTTP["url"] =~ "^/t/" {
    magnet.attract-physical-path-to = ( "/****/thumb.lua" )
}
expire.url = ( "/t/" => "access 7 days", "/m/" => "access 7 days", "" => "access 1 days" )
$HTTP["referer"] !~ "*site*" {
    url.access-deny = ( ".jpg" )
}

Debug when using ".jpg":


2007-11-09 10:58:09: (response.c.205) -- splitting Request-URI
2007-11-09 10:58:09: (response.c.206) Request-URI  :  /t/0/1/1-150.jpg
2007-11-09 10:58:09: (response.c.207) URI-scheme   :  http
2007-11-09 10:58:09: (response.c.208) URI-authority:  localcdn.*site*.com
2007-11-09 10:58:09: (response.c.209) URI-path     :  /t/0/1/1-150.jpg
2007-11-09 10:58:09: (response.c.210) URI-query    :
2007-11-09 10:58:09: (response.c.260) -- sanatising URI
2007-11-09 10:58:09: (response.c.261) URI-path     :  /t/0/1/1-150.jpg
2007-11-09 10:58:09: (mod_access.c.135) -- mod_access_uri_handler called
2007-11-09 10:58:09: (mod_access.c.164) url denied as we match: .jpg
2007-11-09 10:58:09: (response.c.205) -- splitting Request-URI
2007-11-09 10:58:09: (response.c.206) Request-URI  :  /notFound.php
2007-11-09 10:58:09: (response.c.207) URI-scheme   :  http
2007-11-09 10:58:09: (response.c.208) URI-authority:  localcdn.*site*.com
2007-11-09 10:58:09: (response.c.209) URI-path     :  /notFound.php
2007-11-09 10:58:09: (response.c.210) URI-query    :
2007-11-09 10:58:09: (response.c.260) -- sanatising URI
2007-11-09 10:58:09: (response.c.261) URI-path     :  /notFound.php
2007-11-09 10:58:09: (mod_access.c.135) -- mod_access_uri_handler called
2007-11-09 10:58:09: (response.c.375) -- before doc_root
2007-11-09 10:58:09: (response.c.376) Doc-Root     : /*wwwpath*/static/*site*/
2007-11-09 10:58:09: (response.c.377) Rel-Path     : /notFound.php
2007-11-09 10:58:09: (response.c.378) Path         :
2007-11-09 10:58:09: (response.c.426) -- after doc_root
2007-11-09 10:58:09: (response.c.427) Doc-Root     : /*wwwpath*/static/*site*/
2007-11-09 10:58:09: (response.c.428) Rel-Path     : /notFound.php
2007-11-09 10:58:09: (response.c.429) Path         : /*wwwpath*/static/*site*/notFound.php
2007-11-09 10:58:09: (response.c.446) -- logical -> physical
2007-11-09 10:58:09: (response.c.447) Doc-Root     : /*wwwpath*/static/*site*/
2007-11-09 10:58:09: (response.c.448) Rel-Path     : getThumbnail.php
2007-11-09 10:58:09: (response.c.449) Path         : /*wwwpath*/scripts/getThumbnail.php
2007-11-09 10:58:09: (response.c.466) -- handling physical path
2007-11-09 10:58:09: (response.c.467) Path         : /*wwwpath*/scripts/getThumbnail.php
2007-11-09 10:58:09: (response.c.474) -- file found
2007-11-09 10:58:09: (response.c.475) Path         : /*wwwpath*/scripts/getThumbnail.php
2007-11-09 10:58:09: (response.c.613) -- handling subrequest
2007-11-09 10:58:09: (response.c.614) Path         : /*wwwpath*/scripts/getThumbnail.php
2007-11-09 10:58:09: (mod_access.c.135) -- mod_access_uri_handler called
2007-11-09 10:58:09: (mod_fastcgi.c.3589) handling it in mod_fastcgi

Thanks for this wonderful soft :-)

Actions #5

Updated by Anonymous over 16 years ago

Sorry for the CC.

Also, I think: isn't it the 404 handler that tries to handle the 403 error?

-- yvan.taviaud

Actions #6

Updated by stbuehler over 15 years ago

  • Status changed from Need Feedback to Fixed
  • Resolution set to wontfix

I don't know why it isn't documented, but the 404 handler also handles 403; this is clearly wanted in the source. So, this is not unexpected. Won't fix/change in 1.4.

Actions #7

Updated by stbuehler over 15 years ago

  • Status changed from Fixed to Wontfix
Actions

Also available in: Atom