Received: (qmail 31388 invoked by uid 501); 25 Nov 2001 21:41:03 -0000 Message-Id: <20011125214103.31387.qmail@apache.org> Date: 25 Nov 2001 21:41:03 -0000 From: Peter Bieringer Reply-To: pb@bieringer.de To: submit@bugz.apache.org Subject: "listen
" without corresponding "virtual host" and also no "default virtual host" was routed to compiled-in docroot X-Send-Pr-Version: 3.110 >Number: 8857 >Category: config >Synopsis: If DocumentRoot is not configured, an error should be returned >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sun Nov 25 13:50:00 PST 2001 >Closed-Date: >Last-Modified: Mon Nov 26 15:46:15 PST 2001 >Originator: pb@bieringer.de >Release: 1.3.14 and 2.0.28 >Organization: >Environment: Red Hat Linux 6.2 >Description: Looks like this is a historic behavior which can be become a security hole, if Apache config is not really reviewed or proper defined. Config: upper lines do not contain any listen or docroot Listen 192.168.1.17:80 Listen 192.168.1.18:80 DocumentRoot /home/internet/testserver3/pub DocumentRoot /home/internet/testserver3/pub If second virtual host is disabled, a request to 192.168.1.18:80 is routed to compiled-in docroot (in my case "/usr/htdocs/"). Means: if someone forgot to setup a "default virtual host" but has one listen address with no correspondending "virtual host", compiled-in configuration is used. >How-To-Repeat: See description >Fix: Hmm, best way would be if any "virtual host" is active, the main will go inactive (e.g. report an error 501 on connect) and must be explicitly reenabled as "default virtual host". Unfortunately, this break many examples and rolled-out configurations. >Release-Note: >Audit-Trail: Comment-Added-By: slive Comment-Added-When: Mon Nov 26 15:46:15 PST 2001 Comment-Added: I think the real bug you are reporting here is simply that DocumentRoot has a compiled in default. I could perhaps agree that if you don't specify a DocumentRoot for a host you are serving, you should get a 500 error. But it makes no difference whether it is a virtualhost or not. Synopsis-Changed-From: "listen
" without corresponding "virtual host" and also no "default virtual host" was routed to compiled-in docroot Synopsis-Changed-To: If DocumentRoot is not configured, an error should be returned Synopsis-Changed-By: slive Synopsis-Changed-When: Mon Nov 26 15:46:15 PST 2001 Category-Changed-From-To: general-config Category-Changed-By: slive Category-Changed-When: Mon Nov 26 15:46:15 PST 2001 >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]