> Hi Folks,
>
> I'm reasonably certain that this is just a misconfigured mod_perl server
> on my part, but I can't seem to find a solution for it.
>
> We are currently running ModPerl::Registry to serve legacy CGI code.
> Now, consider the following URL, with an embedded newline:
>
> http://www.mysite.com/cgi-bin/search.cgi%0d%0a
>
> Since we obviously don't have a CGI file named with a trailing newline
> character, I would expect apache to return a 404 Not Found. However,
> apache happily hands the URL off to mod_perl, which attempts to stat
> search.cgi(newline), and fails with:
ModPerl is correct if the filename supplied doesn't exist (which you
seem to be implying that it doesn't), and what's really nice is that
it's informing you of the likely problem with the filename.
The URL that people should be using should just end with
"search.cgi" and if they're typing this in and adding "%0d%0a" to the
end of it then they deserve to receive a 404 Not Found error.
Now there are a few things you can do to solve this problem instead
of using the rewrite engine:
1. Create a <FilesMatch> stanza that matches files ending with
".cgi%0d%0a" and redirect them to the correct ".cgi" variant.
2. Program a custom 404 handler that detects filename requests
ending in ".cgi%0d%0a" and redirect them to the correct ".cgi"
variant.
I hope this helps.
[End of reply.]
> [Wed Feb 13 16:27:33 2013] [error] [client 192.168.254.21] Unsuccessful
> stat on filename containing newline at
> /usr/local/lib64/perl5/ModPerl/RegistryCooker.pm line 787.\n
>
> ... which in turn results in a 500 Server Error.
>
> Trying a similar URL with a php file on the same server correctly
> returns a 404. Also, requesting a file like
> /cgi-bin/this_file_does_not_exist.cgi correctly returns a 404. However,
> /cgi-bin/this_file_does_not_exist.cgi%0d%0a returns 500.
>
> What can / should I do to get the "correct" behaviour out of mod_perl?
> I could probably do something with a mod_rewrite RewriteRule to strip
> newlines, but I feel like I shouldn't have to run every request through
> a RewriteRule. I could also accept if mod_perl treated this as a
> warning, but that's not the case here.
>
> Here is line 787 of RegistryCooker.pm, btw:
>
> 783: # XXX: should go away when finfo() is ported to 2.0 (don't want to
> 784: # depend on compat.pm)
> 785: sub Apache2::RequestRec::my_finfo {
> 786: my $r = shift;
> 787: stat $r->filename;
> 788: \*_;
> 789: }
>
> Thoughts?
>
> Thanks!
> Michael
Randolf Richardson - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
http://www.inter-corporate.com/
