(Sorry so slow in responding, been out of the office)
Randolf Richardson wrote:
Hi Folks,
I'm reasonably certain that this is just a misconfigured mod_perl server
on my part, but I can't seem to find a solution for it.
We are currently running ModPerl::Registry to serve legacy CGI code.
Now, consider the following URL, with an embedded newline:
http://www.mysite.com/cgi-bin/search.cgi%0d%0a
Since we obviously don't have a CGI file named with a trailing newline
character, I would expect apache to return a 404 Not Found. However,
apache happily hands the URL off to mod_perl, which attempts to stat
search.cgi(newline), and fails with:
ModPerl is correct if the filename supplied doesn't exist (which you
seem to be implying that it doesn't), and what's really nice is that
it's informing you of the likely problem with the filename.
The URL that people should be using should just end with
"search.cgi" and if they're typing this in and adding "%0d%0a" to the
end of it then they deserve to receive a 404 Not Found error.
I agree completely! Unfortunately, that's not what's happening. We're
not getting a 404, we're getting a 500 Internal Server Error. I guess
that is because perl is throwing an untrapped exception when it sees the
filename-with-newline. But yes, my issue is that such a request
generates a 500. I feel that mod_perl should be returning 404 in this
case, since the file is indeed not found.
Generally, these kinds of requests are attempts at HTTP header-injection
or similar attacks. So I'm under no obligation to be helpful to them :)
Thoughts?
Thanks,
MAC
<snip>
I hope this helps.
[End of reply.]
[Wed Feb 13 16:27:33 2013] [error] [client 192.168.254.21] Unsuccessful
stat on filename containing newline at
/usr/local/lib64/perl5/ModPerl/RegistryCooker.pm line 787.\n
... which in turn results in a 500 Server Error.
Trying a similar URL with a php file on the same server correctly
returns a 404. Also, requesting a file like
/cgi-bin/this_file_does_not_exist.cgi correctly returns a 404. However,
/cgi-bin/this_file_does_not_exist.cgi%0d%0a returns 500.
What can / should I do to get the "correct" behaviour out of mod_perl?
I could probably do something with a mod_rewrite RewriteRule to strip
newlines, but I feel like I shouldn't have to run every request through
a RewriteRule. I could also accept if mod_perl treated this as a
warning, but that's not the case here.
Here is line 787 of RegistryCooker.pm, btw:
783: # XXX: should go away when finfo() is ported to 2.0 (don't want to
784: # depend on compat.pm)
785: sub Apache2::RequestRec::my_finfo {
786: my $r = shift;
787: stat $r->filename;
788: \*_;
789: }
Thoughts?
Thanks!
Michael