mime.conf ignores dependency to mod_include

Bug #1675184 reported by Stephan on 2017-03-22
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

In Ubuntu 16.04 LTS the file installed by apache2 as /etc/apache2/mods-available/mime.conf includes the following section:

        #
        # Filters allow you to process content before it is sent to the client.
        #
        # To parse .shtml files for server-side includes (SSI):
        # (You will also need to add "Includes" to the "Options" directive.)
        #
        AddType text/html .shtml
        AddOutputFilter INCLUDES .shtml

The AddOutputFilter line needs mod_include to function correctly. If mod_include is not enabled, but mime.conf is enabled, then any request to a file ending on .shtml will cause the following error being printed in the log:

AH00082: an unknown filter was not added: includes

This can be quite irritating.

It can be fixed by only adding the output filter in case the required mod_include is available:

<IfModule mod_include.c>
        AddOutputFilter INCLUDES .shtml
</IfModule>

In case this fix is something Ubuntu does not want to fix but expects from upstream please report accordingly upstream to have a fix included in Ubuntu.

CVE References

Stephan (world-wide) on 2017-03-22
description: updated
Nish Aravamudan (nacc) wrote :

Hello and thank you for reporting this issue.

Did you change your config to include the stated item:

        # (You will also need to add "Includes" to the "Options" directive.)

?

Just wondering if that alone fixes it? Given that this code is inherited from Debian, we probably want to fix it there, would you be willing to report the bug there or see if it has already been filed?

Changed in apache2 (Ubuntu):
status: New → Incomplete
Stephan (world-wide) wrote :

Hello Nish,

please find some additional details below.

I don't use mod_include and don't plan to. I simply want to have the mime types from mime.conf.

If I would load mod_include then there would be no error reported. shtml would still require to have the Includes set in the options, but this is a different topic.

Here the problem is that an OutputFilter is added which is not available in Apache, thus producing an error in the log. This would happen even if the file does not exist like trying to load http://example.com/notexist.shtml.

mime.conf should only add OutputFilter for modules actually available. So adding the IfModule as stated above ensures this dependency.

I agree that this might be something needed to be fixed upstream. I indicated this in the initial report. Unfortunately I am not that experienced on how to best report this (either with Debian or with Apache). So it would be great if someone more familiar with the process involved could do this. I didn't find any Debian bug report mentioning mime.conf and AddOutputFilter.

Launchpad Janitor (janitor) wrote :

[Expired for apache2 (Ubuntu) because there has been no activity for 60 days.]

Changed in apache2 (Ubuntu):
status: Incomplete → Expired
Launchpad Janitor (janitor) wrote :
Download full text (3.7 KiB)

This bug was fixed in the package apache2 - 2.4.29-1ubuntu1

---------------
apache2 (2.4.29-1ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.
    - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
  * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
    - debian/control: switch BuildDepends to libssl1.0-dev
    - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
    - debian/rules: remove openssl virtual package and logic

apache2 (2.4.29-1) unstable; urgency=medium

  [ Stefan Fritsch ]
  * Replace outdated dependency on dh-systemd

  [ Ondřej Surý ]
  * New upstream version 2.4.29
  * Refresh quilt patches
  * Add mod_ssl_md patch needed for libapache2-mod-md (Closes: #877343)
  * Refresh patches on top of upstream release 2.4.29
  * Fix Apache crash on restarts (ASF Bug 61558)
  * Add deconfigure to the list of recognized scripts (Closes: #877524)

apache2 (2.4.27-6) unstable; urgency=high

  * CVE-2017-9798: Don't allow new methods to be registered in .htaccess files
    which could result in HTTP OPTIONS method leaking Apache's server memory.
    Closes: #876109
  * Fix argument escaping in apachectl. Closes: #876384

apache2 (2.4.27-5) unstable; urgency=medium

  * Upload to unstable.
  * Update "Breaks:" for openssl transition.
  * Bump Standards-Version to 4.1.0. No changes needed.

apache2 (2.4.27-4) experimental; urgency=medium

  * Use 'invoke-rc.d' instead of init script in logrotate script.
    Closes: #857607
  * Make the apache-htcacheclean init script actually look into
    /etc/default/apache-htcacheclean for its config. LP: #1691495
  * mime.conf: Guard AddOutputFilter INCLUDES with proper <IfModule>.
    LP: #1675184
  * Use 'service' instead of init script in monit example config.
  * Bump Standards-Version to 4.0.1. Other changes:
    - change package priorities from extra to optional
  * Use libprotocol-http2-perl in autopkgtest.
  * Update test suite to svn r1804214.
  * Various tweaks to the test suite autopkgtest to avoid having to skip
    any test.
  * Also remove -DBUILD_DATETIME an...

Read more...

Changed in apache2 (Ubuntu):
status: Expired → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers