On 6/9/06, Ahn, Chang <ahnc@xxxxxxxxxxxxxxxx> wrote:
I've just noticed an unusual behavior with Server-Side Include. With SSI enabled, I can continuously add the page name and still pull the same page. Basically http://www.abanet.org/tax/taxtips4u/scam.shtml/scam.shtml/scam.shtml/sca m.shtml is the same page as http://www.abanet.org/tax/taxtips4u/scam.shtml. Instead of a 404, it actually finds the page. It's not rewrite rules; I removed them. And I don't have any Redirect rules. When I comment out the AddHandler directive, the problem goes away. I'm not sure if this is a recent occurrence with 1.3.34 (and I haven't found it in the bug report or FAQ). It's such a weird problem, I haven't been able to find any information on it (I'm probably not using the right search term because I'm not sure how to phrase this problem). I'm on Apache 1.3.34 and enabled SSI with the following directives: Options -ExecCGI -FollowSymLinks -Indexes +IncludesNOEXEC AddType text/html .shtml AddHandler server-parsed .shtml Any idea why SSI would allow these bad URL?
They aren't bad URLs. They are URLs with PATH_INFO tagged on the end, which can be used by your CGI script. (Think, for example, of a script like http://example.com/convert-to-pdf.cgi/home/page.html which could grab /home/page.html and process it.) In 2.x, you have the AllowPathInfo directive to control this behavior. In 1.3, you'd need to use a hack like <LocationMatch \.shtml/.+> Order deny,allow Deny from all </LocationMatch> Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|