Received: (qmail 73869 invoked by uid 501); 18 Dec 2001 16:13:45 -0000 Message-Id: <20011218161345.73868.qmail@apache.org> Date: 18 Dec 2001 16:13:45 -0000 From: Steve Sobel Reply-To: ssobel@home.com To: submit@bugz.apache.org Subject: apache serves up files instead of 404 error when a directory name is requested that matches a file with a supported module extension X-Send-Pr-Version: 3.110 >Number: 9181 >Category: general >Synopsis: apache serves up files instead of 404 error when a directory name is requested that matches a file with a supported module extension >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Dec 18 08:20:01 PST 2001 >Closed-Date: Tue Dec 18 08:22:10 PST 2001 >Last-Modified: Tue Dec 18 08:50:00 PST 2001 >Originator: ssobel@home.com >Release: 1.3.22 >Organization: >Environment: Linux hydrox 2.2.19 #2 Fri Apr 27 03:52:49 CDT 2001 i686 unknown >Description: Apache serves up a webpage instead of a 404 error when the directory in which the nonexistent file is being requested matches the filename of a module-supported file extension. For example: If PHP is installed, or, in the case I found the bug, RACE (but PHP experiences the same problem, which is how I determined it to probably be an Apache bug): If, in the root directory of the website, there is a file called somepage.php, then the URL http://www.someserver.com/somepage/thisfiledoesntexist Serves up somepage.ace instead of giving a 404 error. As a result, the browser views somepage.ace, but improperly since the path the browser is viewing is different from the actual path of the file. Either way, however, the file should not be served up at all - a 404 error should be given. >How-To-Repeat: http://dev.riverwatcher.com/nematologists/index.ace -- proper. http://dev.riverwatcher.com/nematologists/index/nonexistentfile -- improper. http://dev.riverwatcher.com/nematologists/blahblah.htm -- htm file exists http://dev.riverwatcher.com/nematologists/blahblah/nonexistentfile -- bug doesn't occur. >Fix: Apache probably shouldn't serve these pages up... :-) >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: marc State-Changed-When: Tue Dec 18 08:22:10 PST 2001 State-Changed-Why: This is a feature, which you have enabled in your configuration. Please see the information about multiviews at http://httpd.apache.org/docs/content-negotiation.html From: "William A. Rowe, Jr." To: , , Cc: Subject: Re: general/9181: apache serves up files instead of 404 error when a directory name is requested that matches a file with a supported module extension Date: Tue, 18 Dec 2001 10:42:43 -0600 More on Marc's comments to you... it's up to a script to look at PATH_INFO and return a 404 not found error if that PATH_INFO doesn't exist. This has been a server feature for years. Marc was talking about /somepage/doesnotexist v.s. /somepage.php/doesnotexist. You can get rid of the former by disabling Multiviews. The later still works. 2.0.30 introduces the AcceptPathInfo off directive for CGI's (and php, and any other handler) that will 404 for you. In the meantime, it's up to your script to report 404 if that's what it wants to do with PATH_INFO. Bill >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]