[bug] 404 served instead of 401

Fri, 21 Dec 2001 07:26:07 -0800 


Hi,

I found a bug whereby Apache 1.3.22 inconsistently handles the interaction
between aliases to non-existant paths and authentication. If the alias is
specified as an absolute path then a 401 is always served, but if the
alias is a relative path then in some cases a 404 will be served.

I don't see this as a security threat -- "an attacker could see that
you are dozy and have specified non-existant paths" doesn't really
instill fear -- but it nevertheless is leaking information which it
probably shouldn't.

To test it for yourselves, take one apache-1.3.22 tarball, configure,
make and make install. I did it in /usr/local/apache, so you'll
probably want to sed the patch if you try it somewhere else.

 $ cd /usr/local/apache
 $ patch -p0 < httpd.conf.patch # attached
 $ mv htdocs/manual .
 $ ln -s nowhere htdocs/broken
 $ bin/apachectl start

Finally, run test.sh. An annotated version of its output is as
follows:

 * Not an alias and not present in the docroot
    http://localhost:8080/Xmanual  401
    http://localhost:8080/Xmanual/ 401

 * Alias to an existing path
    http://localhost:8080/0manual  401
    http://localhost:8080/0manual/ 401

 * Aliases to non-existant relative paths
    http://localhost:8080/1manual  401
    http://localhost:8080/1manual/ 404    <<<<<<

    http://localhost:8080/2manual  404    <<<<<<
    http://localhost:8080/2manual/ 404    <<<<<<

    http://localhost:8080/3manual  404    <<<<<<
    http://localhost:8080/3manual/ 404    <<<<<<

    http://localhost:8080/4manual  401
    http://localhost:8080/4manual/ 404    <<<<<<

 * Aliases to non-existant absolute paths
    http://localhost:8080/5manual  401
    http://localhost:8080/5manual/ 401

    http://localhost:8080/6manual  401
    http://localhost:8080/6manual/ 401

    http://localhost:8080/7manual  401
    http://localhost:8080/7manual/ 401

    http://localhost:8080/8manual  401
    http://localhost:8080/8manual/ 401

 * Aliases to a relative path to a broken symlink
    http://localhost:8080/9manual  401
    http://localhost:8080/9manual/ 404    <<<<<<

    http://localhost:8080/Amanual  404    <<<<<<
    http://localhost:8080/Amanual/ 404    <<<<<<

    http://localhost:8080/Bmanual  404    <<<<<<
    http://localhost:8080/Bmanual/ 404    <<<<<<

    http://localhost:8080/Cmanual  401
    http://localhost:8080/Cmanual/ 404    <<<<<<

 * Aliases to an absolute path to a broken symlink
    http://localhost:8080/Dmanual  401
    http://localhost:8080/Dmanual/ 401

    http://localhost:8080/Emanual  401
    http://localhost:8080/Emanual/ 401

    http://localhost:8080/Fmanual  401
    http://localhost:8080/Fmanual/ 401

    http://localhost:8080/Gmanual  401
    http://localhost:8080/Gmanual/ 401

I don't know whether you'd prefer it to return a 401 or a 404 (it
follows the alias, but the new path isn't valid, and if the new path
isn't valid then why apply directory stuff to it?) Personally I prefer
returning a 401, but that's not my choice to make. Either way, the
fact that it is inconsistent is not good.

Cheers, and Merry Christmas,
Gary

[ [EMAIL PROTECTED] ][ GnuPG 85A8F78B ][ http://inauspicious.org/ ]

--- conf/httpd.conf.default     Fri Dec 21 14:37:10 2001
+++ conf/httpd.conf     Fri Dec 21 15:13:10 2001
@@ -293,6 +293,10 @@
 <Directory />
     Options FollowSymLinks
     AllowOverride None
+    AuthName "user access"
+    AuthType Basic
+    AuthUserFile conf/htpasswd
+    Require valid-user
 </Directory>
 
 #
@@ -549,6 +553,26 @@
         Allow from all
     </Directory>
 
+    # A bunch of aliases with which to test the problem
+    #
+    Alias /0manual/  /usr/local/apache/manual/
+    Alias /1manual/  manual/
+    Alias /2manual   manual/
+    Alias /3manual   manual
+    Alias /4manual/  manual
+    Alias /5manual/  /usr/local/apache/not/a/path/
+    Alias /6manual   /usr/local/apache/not/a/path/
+    Alias /7manual   /usr/local/apache/not/a/path
+    Alias /8manual/  /usr/local/apache/not/a/path
+    Alias /9manual/  broken/
+    Alias /Amanual   broken/
+    Alias /Bmanual   broken
+    Alias /Cmanual/  broken
+    Alias /Dmanual/  /usr/local/apache/htdocs/broken/
+    Alias /Emanual   /usr/local/apache/htdocs/broken/
+    Alias /Fmanual   /usr/local/apache/htdocs/broken
+    Alias /Gmanual/  /usr/local/apache/htdocs/broken
+
     # This Alias will project the on-line documentation tree under /manual/
     # even if you change the DocumentRoot. Comment it if you don't want to 
     # provide access to the on-line documentation.

Attachment: test.sh
Description: Bourne shell script

Reply via email to