[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62698] New: Preventing mod_autoindex listing of directory (error 403)


https://bz.apache.org/bugzilla/show_bug.cgi?id=62698

            Bug ID: 62698
           Summary: Preventing mod_autoindex listing of directory (error
                    403)
           Product: Apache httpd-2
           Version: 2.4.34
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_core
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: apache@xxxxxxx
  Target Milestone: ---

mod_authz will prevent mod_autoindex from generating a listing of a directory
without an index file in certain cases.

For security reasons (illegally uploaded files) a generation of the following
is performed for all directories:

<Directory "/var/www/html/dom.tld/sub">
Require all granted
<FilesMatch "\.(php.*|pl|pm|cgi|shtml|phtml|sh)$" >
Require all denied
</FilesMatch>
<Files "address.php">
Require all granted
</Files>
</Directory>


In httpd.conf for the vhosts:

DirectoryIndex index.var index.htm index.cgi index.php

Options IncludesNOEXEC FollowSymlinks ExecCGI Multiviews

<Directory "/var/www/html/don.tld/sub">
Options +Indexes
Require all granted
</Directory>

mod_authz will assume a Require all denied when testing for e.g. index.php,
which is not present in the directory, but disallowed by the generated rule.
A 403 error will be returned instead of turning over the action to
mod_autoindex.

There should be no consequences for testing a 'denied' rule against a
non-existant file.

[Fri Sep 07 22:23:29.769962 2018] [authz_core:error] [pid 25764:tid
140612263212800] AH01630: client denied by server configuration:
/var/www/html/dom.tld/sub/index.php
[Fri Sep 07 22:23:29.769964 2018] [core:trace3] [pid 25764:tid 140612263212800]
request.c(119): auth phase 'check access' gave status 403: /utils/index.php

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx