>Number: 5300 >Category: mod_include >Synopsis: When server side includes are enabled paths such as: >http://server/index.html/foo/foo/ are accepted. >Confidential: no >Severity: critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Fri Nov 12 21:10:01 PST 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.6 >Environment: Solaris 2.6 Latest patches >Description: When server side includes are enabled, I can enter additional junk on the end of the URL, and Apache does not complain. This may not really be an error, but somehow while Verity is spidering the site, it gets caught in endless loops trying to insert URLs like: http://www.server.com/index.html/IT/info/<other hrefs> If I change my Option line in access.conf, and remove Includes, then I get a page not found error, as I would expect, from Apache.
I thought I got rid of this problem when I disabled MultiViews, but I guess not. I cannot disable SSI since tons of our pages use it, but I can't get Verity to work correctly either. I would be very happy to receive any fixes, work arounds, comments, etc. Please Help Thanks, Zoli >How-To-Repeat: To duplicate this, type in the following URL: http://www.apache.org/index.html/foo/foo/foo/foo/ Then click on one of the relative links, like FAQ or Foundation You will see that it will not make it to these URLs, but it will accept them. If you update the conf file, and remove the Include Option, this same URL will not be allowed. >Fix: I guess, the mod_include code would need to verify that the full/entire path is valid ? >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include <[EMAIL PROTECTED]> in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
