https://bz.apache.org/bugzilla/show_bug.cgi?id=43666
--- Comment #4 from Viktor Ć tujber <[email protected]> --- The issue is caused by server/util_script.c::ap_add_cgi_vars(). At the end, it needs to define the variable "PATH_TRANSLATED", as required by https://www.rfc-editor.org/rfc/rfc3875#section-4.1.6 - by tacking on the cgi subpath to DocumentRoot, even though the result is a nonsensical path that doesn't exist. To achieve this, it calls server/request.c::ap_sub_req_lookup_uri(), lets it do its thing, and just picks up the computed 'filename' from the result. The fact that this call is actually trying to access the fake path, and is tripping security checks as it does so, makes me suspect it is not the most appropriate tool for the job. Reproduces on a default httpd install on ubuntu, freebsd, windows. Reproduces with mod_cgi and mod_wsgi. Requires only minimal edits: 1. edit httpd.conf - comment out 'Require all granted' from default DocumentRoot directory. 2. edit httpd.conf - append "ScriptAlias /test /tmp/test.cgi" "<Location /test>Require all granted</Location>". 3. wget http://localhost/test/whatever 4. [authz_core:error] [pid 1861] [client 127.0.0.1:20266] AH01630: client denied by server configuration: /usr/local/www/apache24/test/whatever The call stack looks like this for httpd 2.4.57: 1. ap_log_rerror_(file="mod_authz_core.c", int line=879, module_index=6, level=3, status=0, r=0x00bc2f00, fmt="AH01630...", ...) in server/log.c(1366) 2. authorize_user_core(r=0x00bc2f00, int after_authn=0) in modules/aaa/mod_authz_core.c(879) 3. authorize_userless(r=0x00bc2f00) in modules/aaa/mod_authz_core.c(916) 4. ap_run_access_checker_ex(r=0x00bc2f00) in server/request.c(92) 5. ap_process_request_internal(r=0x00bc2f00) in server/request.c(339) 6. ap_sub_req_method_uri(method="GET", new_uri="/test", r=0x00bbeaf0, next_filter=NULL) in server/request.c(2289) 7. ap_sub_req_lookup_uri(new_uri="/test", r=0x00bbeaf0, next_filter=NULL) in server/request.c(2301) 8. ap_add_cgi_vars(r=0x00bbeaf0) in server/util_script.c(432) 9. cgi_handler(r=0x00bbeaf0) in modules/generators/mod_cgi.c(805) -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
