DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=30673>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30673 Apache Redirects to CGI in 404 Case [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Major |Minor ------- Additional Comments From [EMAIL PROTECTED] 2004-08-15 02:39 ------- Hmm... The only thing w.r.t the web site that has changed recently was the upgrade of the httpd from 1.3.27 -> 1.3.31. I don't recall seeing 500s previously on (what should be) a 404 case, but maybe I simply didn't *run into* such a case previously. The version of PHP in place was 4.3.1. It needed upgrading anyway, so I downloaded PHP 4.3.8 (Win32) as a ZIP package. It now appears that this behavior constitutes a security vulnerability. I say this because PHP 4.3.8 aborts with "No input file specified", which is a classic sign that PHP's redirection logic is failing. The one thing that I would expect to be trouble here is PHP's cgi.force_redirect configuration option. I checked it, and it *is* set to on, as is recommended by the PHP group. It appears that correct behavior can be achieved by simply passing .php files off to mod_cgi, and using the "shebang line" to invoke the (web-inaccessible) PHP interpreter. I'll recommend the new install tips to the PHP team. I'm also downgrading the priority of this to "Minor". It's not an "Enhancement", because, AFAICT, the current behavior is simply wrong, but it's not a showstopper. Thanks, and keep up the fantastic work on the server. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
