>Number: 5362 >Category: mod_negotiation >Synopsis: MultiViews allows documents to be treated as directories >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Nov 24 17:40:01 PST 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.9 >Environment: FreeBSD 2.2.8 >Description: When MultiViews is enabled, it allows matches of directory requests to files, which breaks all relative server-side includes as well client-side images/urls. >How-To-Repeat: With an /index.html.en, /index.html.ru, /index.html.jp, etc present and MultiViews enabled, it is possible for a client to request http://mysite.com/index/ and the appropriate document for your language preferences will be returned. However, all relative "IMG" and "A" links within the html will be resolved on the client side to be under the invalid "index" directory.
Additionally, if index.html.en is a file containing SSI directives, such as to include another file by a relative virtual location, Apache will interpret the include directive as being "relative" to the non-existent directory, and when it attempts to read the include target, it invokes the file again, causing a SSI recursion loop. >Fix: When parsing each path part of a requested URL, it should not attempt to treat files matched by MultiViews as directories. Just as a site with MultiViews disabled returns 404 for http://mysite.com/index.html/blah/whatever/etc, a site with MultiViews enabled should also return 404. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include <[EMAIL PROTECTED]> in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
