[dev.icinga.com #2735] global match in ./etc/apache2/icinga-web.conf.in #821
Comments
Updated by calestyo on 2012-06-29 23:00:26 +00:00 Actually there are more possible problems:
a) They also have no begin anchor "^" b) What is good however is, the trailing "/" (after styles and images). c) Using \w+ (and not \w*) is also good and important. So I'd suggest to change this to:
a) As noted above, the missing beginning ^. b) /([A-Za-z0-9])/ and /([A-Za-z0-9])/
c) /([A-Za-z0-9]\.css)$ and ([A-Za-z_\-0-9]\.(png|gif|jpg)) I would further replace (png|gif|jpg) by (?:png|gif|jpg). d) The trailing $ is good and important. So I'd suggest: |
Updated by calestyo on 2012-06-29 23:19:25 +00:00
Attached patch does the above changes plus
|
Updated by calestyo on 2012-06-29 23:22:33 +00:00 On further side node: a) symLinksIfOwnerMatch instead of FollowSymLinks should work, too, and is a tiny little bit more safe. b) As far as I can see, there are no symlinks at all distributed by icinga-web, so I'd suggest to remove that Option alltogether. |
Updated by mfrosch on 2012-07-02 12:32:14 +00:00
http://httpd.apache.org/docs/current/mod/mod\_rewrite.html It says: |
Updated by calestyo on 2012-07-02 23:26:40 +00:00 Yes you are right, I've noted that soon wards after, but forgot to upgrade, but it also work with symlinksIfOwnerMath... which is at least a very tiny bit safer in case real symlinks should move accidentally in. And everything else in that report is obviously unaffected by this :) |
Updated by mfriedrich on 2012-10-11 22:09:48 +00:00
|
Updated by calestyo on 2012-10-11 23:55:36 +00:00 Hi Michael. What kind of feedback to you wish? :) Chris. |
Updated by calestyo on 2012-12-16 15:35:47 +00:00
safe-regexps.v2.patch adds the following changes to safe-regexps.patch: |
Updated by calestyo on 2012-12-16 15:45:11 +00:00
This is taken over from bug #3499 as suggested by Jannis: One should notice that AliasMatch does not automatically fold multiple consecutive slashes into one, as Alias or DirectoryMatch does (see also Apache bugs https://issues.apache.org/bugzilla/show\_bug.cgi?id=54307 and https://issues.apache.org/bugzilla/show\_bug.cgi?id=54308 ) So e.g. " For any cases of multiple / outside the I think this is rather a cosmetic/perfectionism issue... but ideally all occurrences of / (especially also in the value of Attached file (v3) adds the following changes to v2:
TODO:
If that's all too much effort to implement, than simply stay at the v2 patch :) Cheers, |
Updated by mfrosch on 2012-12-17 10:00:02 +00:00
Will be fixed with #3500 Please comment there for further questions. -Markus |
Updated by mfrosch on 2012-12-17 10:06:01 +00:00
|
This issue has been migrated from Redmine: https://dev.icinga.com/issues/2735
Created by calestyo on 2012-06-27 14:14:42 +00:00
Assignee: (none)
Status: Resolved (closed on 2012-12-17 10:00:02 +00:00)
Target Version: 1.9
Last Update: 2012-12-17 10:06:01 +00:00 (in Redmine)
Hi.
There is a nasty bug in ./etc/apache2/icinga-web.conf.in:
The lines:
AliasMatch
web_path
/modules/([A-Za-z0-9])/resources/styles/([A-Za-z0-9]\.css)$prefix
/app/modules/$1/pub/styles/$2AliasMatch
web_path
/modules/([A-Za-z0-9])/resources/images/([A-Za-z_\-0-9]\.(png|gif|jpg))$prefix
/app/modules/$1/pub/images/$2lead to any RELATIVE occasion of such strings to be matched not just absolute ones:
See https://httpd.apache.org/docs/current/mod/mod\_alias.html#aliasmatch:
Please add a "^" to the beginning of the patterns, i.e.:
AliasMatch ^
web_path
/modules/([A-Za-z0-9])/resources/styles/([A-Za-z0-9]\.css)$prefix
/app/modules/$1/pub/styles/$2AliasMatch ^
web_path
/modules/([A-Za-z0-9])/resources/images/([A-Za-z_\-0-9]\.(png|gif|jpg))$prefix
/app/modules/$1/pub/images/$2Marking as high, as this could remotely be even security relevant.
Cheers,
Chris.
Attachments
Relations:
The text was updated successfully, but these errors were encountered: