Hi Folks,
I'm reasonably certain that this is just a misconfigured mod_perl server
on my part, but I can't seem to find a solution for it.
We are currently running ModPerl::Registry to serve legacy CGI code.
Now, consider the following URL, with an embedded newline:
http://www.mysite.com/cgi-bin/search.cgi%0d%0a
Since we obviously don't have a CGI file named with a trailing newline
character, I would expect apache to return a 404 Not Found. However,
apache happily hands the URL off to mod_perl, which attempts to stat
search.cgi(newline), and fails with:
[Wed Feb 13 16:27:33 2013] [error] [client 192.168.254.21] Unsuccessful
stat on filename containing newline at
/usr/local/lib64/perl5/ModPerl/RegistryCooker.pm line 787.\n
... which in turn results in a 500 Server Error.
Trying a similar URL with a php file on the same server correctly
returns a 404. Also, requesting a file like
/cgi-bin/this_file_does_not_exist.cgi correctly returns a 404. However,
/cgi-bin/this_file_does_not_exist.cgi%0d%0a returns 500.
What can / should I do to get the "correct" behaviour out of mod_perl?
I could probably do something with a mod_rewrite RewriteRule to strip
newlines, but I feel like I shouldn't have to run every request through
a RewriteRule. I could also accept if mod_perl treated this as a
warning, but that's not the case here.
Here is line 787 of RegistryCooker.pm, btw:
783: # XXX: should go away when finfo() is ported to 2.0 (don't want to
784: # depend on compat.pm)
785: sub Apache2::RequestRec::my_finfo {
786: my $r = shift;
787: stat $r->filename;
788: \*_;
789: }
Thoughts?
Thanks!
Michael