https://bz.apache.org/bugzilla/show_bug.cgi?id=58854
--- Comment #15 from Jacob P <[email protected]> --- (In reply to Eric Covener from comment #14) > (In reply to Eric Covener from comment #13) > > > Our initial testing advises that the fix for rewrites looping works, but > > > the > > > original issue persists, that the RewriteRule ignores any Requires. > > > > I'm fairly sure I originally tested that case, with the regressing patch, > > but I can no longer get it to fail even with a vanilla 2.4.18. But I am now > > questioning whether I really did. > > > > mod_rewrite specified in htaccess doesn't even run in the 'require all > > denied' case. Must be missing something. > > Something that fuels my doubts is how I worded the fix, wrt looping only. > Can anyone share trace8 output for this failure on 2418: > > Example of Apache 2.4.18 working incorrectly: > 1. Create /home/cgihw/public_html/.htaccess: > Require all denied > RewriteEngine on > RewriteRule .* goodbye.txt [L] > 2. Remove file: rm -f /home/cgihw/public_html/403.shtml > 3. Remove file: rm -f /home/cgihw/public_html/missing.txt > 4. Create file: echo "goodbye world" > /home/cgihw/public_html/goodbye.txt > 5. Navigate to http://cgihw.loc/missing.txt > 6. Observe that you are incorrectly presented with the contents of > goodbye.txt > 7. Observe that the LimitInternalRecursion limit is never compared against > 8. Observe that no Internal server error is presented to the user Here's trace8 with a patched 2.4.18 (original patch provided by Eric, not the second): [Mon Feb 29 16:09:18.805864 2016] [core:trace5] [pid 8692] protocol.c(616): [client 192.168.122.236:42428] Request received from client: GET /missing.txt HTTP/1.1 [Mon Feb 29 16:09:18.806118 2016] [http:trace4] [pid 8692] http_request.c(394): [client 192.168.122.236:42428] Headers received from client: [Mon Feb 29 16:09:18.806135 2016] [http:trace4] [pid 8692] http_request.c(398): [client 192.168.122.236:42428] User-Agent: curl/7.29.0 [Mon Feb 29 16:09:18.806143 2016] [http:trace4] [pid 8692] http_request.c(398): [client 192.168.122.236:42428] Host: cgihw.tld [Mon Feb 29 16:09:18.806150 2016] [http:trace4] [pid 8692] http_request.c(398): [client 192.168.122.236:42428] Accept: */* [Mon Feb 29 16:09:18.806422 2016] [authz_core:debug] [pid 8692] mod_authz_core.c(809): [client 192.168.122.236:42428] AH01626: authorization result of Require all denied: denied [Mon Feb 29 16:09:18.806447 2016] [authz_core:debug] [pid 8692] mod_authz_core.c(809): [client 192.168.122.236:42428] AH01626: authorization result of <RequireAny>: denied [Mon Feb 29 16:09:18.806457 2016] [authz_core:error] [pid 8692] [client 192.168.122.236:42428] AH01630: client denied by server configuration: /home/cgihw/public_html/missing.txt [Mon Feb 29 16:09:18.806478 2016] [core:trace3] [pid 8692] request.c(119): [client 192.168.122.236:42428] auth phase 'check access' gave status 403: /missing.txt [Mon Feb 29 16:09:18.806560 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] strip per-dir prefix: /home/cgihw/public_html/403.shtm l -> 403.shtml [Mon Feb 29 16:09:18.806578 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] applying pattern '.*' to uri '403.shtml' [Mon Feb 29 16:09:18.806599 2016] [rewrite:trace2] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] rewrite '403.shtml' -> 'goodbye.txt' [Mon Feb 29 16:09:18.806626 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] add per-dir prefix: goodbye.txt -> /home/cgihw/public_ html/goodbye.txt [Mon Feb 29 16:09:18.806642 2016] [rewrite:trace2] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] strip document_root prefix: /home/cgihw/public_html/go odbye.txt -> /goodbye.txt [Mon Feb 29 16:09:18.806654 2016] [rewrite:trace1] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] internal redirect with /goodbye.txt [INTERNAL REDIRECT ] [Mon Feb 29 16:09:18.806742 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e5ac30/initial/redir#2] [perdir /home/cgihw/public_html/] strip per-dir prefix: /home/cgihw/public_html/goodbye. txt -> goodbye.txt [Mon Feb 29 16:09:18.806757 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e5ac30/initial/redir#2] [perdir /home/cgihw/public_html/] applying pattern '.*' to uri 'goodbye.txt' [Mon Feb 29 16:09:18.806770 2016] [rewrite:trace2] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e5ac30/initial/redir#2] [perdir /home/cgihw/public_html/] rewrite 'goodbye.txt' -> 'goodbye.txt' [Mon Feb 29 16:09:18.806781 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e5ac30/initial/redir#2] [perdir /home/cgihw/public_html/] add per-dir prefix: goodbye.txt -> /home/cgihw/public_ html/goodbye.txt [Mon Feb 29 16:09:18.806795 2016] [rewrite:trace1] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e5ac30/initial/redir#2] [perdir /home/cgihw/public_html/] initial URL equal rewritten URL: /home/cgihw/public_ht ml/goodbye.txt [IGNORING REWRITE] [Mon Feb 29 16:09:18.806885 2016] [http:trace3] [pid 8692] http_filters.c(1006): [client 192.168.122.236:42428] Response sent with status 403, headers: [Mon Feb 29 16:09:18.806898 2016] [http:trace5] [pid 8692] http_filters.c(1013): [client 192.168.122.236:42428] Date: Mon, 29 Feb 2016 16:09:18 GMT [Mon Feb 29 16:09:18.806908 2016] [http:trace5] [pid 8692] http_filters.c(1016): [client 192.168.122.236:42428] Server: Apache [Mon Feb 29 16:09:18.806917 2016] [http:trace4] [pid 8692] http_filters.c(835): [client 192.168.122.236:42428] Last-Modified: Mon, 29 Feb 2016 16:06:33 GMT [Mon Feb 29 16:09:18.806925 2016] [http:trace4] [pid 8692] http_filters.c(835): [client 192.168.122.236:42428] Accept-Ranges: bytes [Mon Feb 29 16:09:18.806931 2016] [http:trace4] [pid 8692] http_filters.c(835): [client 192.168.122.236:42428] Content-Length: 14 [Mon Feb 29 16:09:18.806938 2016] [http:trace4] [pid 8692] http_filters.c(835): [client 192.168.122.236:42428] Connection: close [Mon Feb 29 16:09:18.806944 2016] [http:trace4] [pid 8692] http_filters.c(835): [client 192.168.122.236:42428] Content-Type: text/plain [Mon Feb 29 16:09:18.806979 2016] [core:trace6] [pid 8692] core_filters.c(525): [client 192.168.122.236:42428] core_output_filter: flushing because of FLUSH bucket [Mon Feb 29 16:09:18.807233 2016] [core:trace6] [pid 8692] core_filters.c(525): [client 192.168.122.236:42428] core_output_filter: flushing because of FLUSH bucket -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
