Ubuntu
apache2 package

$ anchor doesn't work in Directory ~ regexp

Bug #947744 reported by jimav
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

$ (end-of-line anchor) seems to break regular expressions with the Directory config directive.

The $ is not being treated literally, but it is not ignored either. If present, it seems to completely prevent matching.

Steps to demonstrate:
1. Create the following test files in your tree (e.g. under /var/www/somewhere):

       echo "should be protected" > foo.BAK
       mkdir dir.BAK
       echo "should be protected" >dir.BAK/file
       echo "should be readable" > french.BAKERY

2. Add to /etc/apache2/apache2.conf:

# This is intended to prevent access to any *.BAK (or contents, if directory)
# Note: We are using a regular expression, not wildcard syntax, and there is
# no initial ^ anchor. Therefore it should match at the tail of any path.
<Directory ~ "\.BAK$">
    Order allow,deny
    Deny from all
    Satisfy all
</Directory>

3. sudo /etc/init.d/apache2 restart

4. Try to access the files.
wget -O- http://localhost/somewhere/foo.BAK # should get permission denied, but succeeds
wget -O- http://localhost/somewhere/dir.BAK/file # should get permission denied, but succeeds
wget -O- http://localhost/somewhere/french.BAKERY # succeeds
wget -O- http://localhost/somewhere/'foo.BAK$' # fails, proving the $ does not match literally

5. Remove the trailing "$" from the Directory ~ regex in apache2.conf, and restart the server

6. Test again:
wget -O- http://localhost/somewhere/foo.BAK # permission denied as expected
wget -O- http://localhost/somewhere/dir.BAK/file # permission denied as expected
wget -O- http://localhost/somewhere/french.BAKERY # should succeed, but FAILS (because the regexp is not anchored at the end)

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: apache2 2.2.20-1ubuntu1.2
ProcVersionSignature: Ubuntu 3.0.0-16.28-generic 3.0.17
Uname: Linux 3.0.0-16-generic x86_64
NonfreeKernelModules: fglrx
Apache2ConfdDirListing: ['other-vhosts-access-log', 'localized-error-pages', 'security', 'charset']
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Mon Mar 5 21:08:07 2012
InstallationMedia: Xubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: apache2
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apache2.apache2.conf: [modified]
mtime.conffile..etc.apache2.apache2.conf: 2012-03-05T21:07:48.481293

Revision history for this message
jimav (james-avera) wrote :
Revision history for this message
Robie Basak (racb) wrote :

From http://httpd.apache.org/docs/2.2/mod/core.html#directorymatch:
    "The end-of-line character ($) cannot be matched with this directive."

I appreciate that you're using <Directory ~ ...> rather than <DirectoryMatch "...">, but I cannot find any documented difference between the two. I suspect that they work the same internally.

So I'm marking this bug as Invalid. If you find reason to disagree, please do reopen.

Changed in apache2 (Ubuntu):
status: New → Invalid
Revision history for this message
jimav (james-avera) wrote :

If it's really not a bug, would you please change the documentation of "Directory" to make clear that end-of-line $ is not intended to work?

I see now that it says this for DirectoryMatch but there is no mention of this limitation where Directory is documented in the manual. Thanks.

Revision history for this message
Robie Basak (racb) wrote :

I agree that if this is expected behaviour then it should be documented more clearly - specifically in the Directory section as well as the DirectoryMatch section.

I'm reluctant to suggest a change in Ubuntu for this, unless the upstream Apache project who develop the software also carry the fix, because I'm not absolutely certain that I'm correct. They may say that I'm wrong, or that Ubuntu's behaviour is incorrect in this regard.

If you'd like to take this further, the best place would be on the Apache HTTP Server mailing lists (http://httpd.apache.org/lists.html) or upstream bug tracker (http://httpd.apache.org/bug_report.html). They will be able to verify for certain whether this is expected behaviour or a bug.

The first thing to do would be to ask them if this is expected behaviour or a bug. You should point them to this bug that you have filed here, and also comment in here to link to your report upstream.

Revision history for this message
jimav (james-avera) wrote :

Adding this comment in case someone else finds this bug:

This has apparently been fixed upstream in apache2 v2.3.9, but AFAIK Ubuntu is still on v2.2.x (March 2013).

"his directive applies to requests for directories that may or may not end in a trailing slash, so expressions that are anchored to the end of line ($) must be written with care. "

http://httpd.apache.org/docs/2.4/mod/core.html#directorymatch

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.