Thanks that worked. I didn't even consider that this was a legitimate feature. I would think that IncludeNoExec and -ExecCGI would disable this feature. Chang -----Original Message----- From: jslive@xxxxxxxxx [mailto:jslive@xxxxxxxxx] On Behalf Of Joshua Slive Sent: Friday, June 09, 2006 11:16 AM To: users@xxxxxxxxxxxxxxxx Subject: Re: [users@httpd] SSI and accepting bad URL. On 6/9/06, Ahn, Chang <ahnc@xxxxxxxxxxxxxxxx> wrote: > I've just noticed an unusual behavior with Server-Side Include. With > SSI enabled, I can continuously add the page name and still pull the > same page. Basically > http://www.abanet.org/tax/taxtips4u/scam.shtml/scam.shtml/scam.shtml/s > ca > m.shtml is the same page as > http://www.abanet.org/tax/taxtips4u/scam.shtml. Instead of a 404, it > actually finds the page. > > It's not rewrite rules; I removed them. And I don't have any Redirect > rules. When I comment out the AddHandler directive, the problem goes > away. I'm not sure if this is a recent occurrence with 1.3.34 (and I > haven't found it in the bug report or FAQ). It's such a weird > problem, I haven't been able to find any information on it (I'm > probably not using the right search term because I'm not sure how to > phrase this problem). > > I'm on Apache 1.3.34 and enabled SSI with the following directives: > > Options -ExecCGI -FollowSymLinks -Indexes +IncludesNOEXEC AddType > text/html .shtml AddHandler server-parsed .shtml > > Any idea why SSI would allow these bad URL? They aren't bad URLs. They are URLs with PATH_INFO tagged on the end, which can be used by your CGI script. (Think, for example, of a script like http://example.com/convert-to-pdf.cgi/home/page.html which could grab /home/page.html and process it.) In 2.x, you have the AllowPathInfo directive to control this behavior. In 1.3, you'd need to use a hack like <LocationMatch \.shtml/.+> Order deny,allow Deny from all </LocationMatch> Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|