[From nobody Mon Jul 27 15:49:17 2009 Received: (at submit) by bugs.debian.org; 6 Oct 2008 20:27:40 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02 (2007-08-08) on rietz.debian.org X-Spam-Level: X-Spam-Bayes: score:0.0000 Tokens: new, 64; hammy, 125; neutral, 46; spammy, 2. spammytokens:0.969-+--H*c:HHH, 0.915-+--H*r:sk:rietz.d hammytokens:0.000-+--H*c:protocol, 0.000-+--H*c:micalg, 0.000-+--H*c:signed, 0.000-+--H*c:pgp-signature, 0.000-+--H*r:TLS-1.0 X-Spam-Status: No, score=-10.7 required=4.0 tests=BAYES_00, DNS_FROM_SECURITYSAGE, FOURLA, FROMDEVELOPER, HAS_PACKAGE, IMPRONONCABLE_1, MURPHY_WRONG_WORD2 autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02 Return-path: <lamby@debian.org> Received: from chris-lamb.co.uk ([89.16.166.3]) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from <lamby@debian.org>) id 1Kmwg7-0002oj-Jg for submit@bugs.debian.org; Mon, 06 Oct 2008 20:27:39 +0000 Received: from host86-148-148-82.range86-148.btcentralplus.com ([86.148.148.82] helo=sakaki.chris-lamb.co.uk) by chris-lamb.co.uk with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <lamby@debian.org>) id 1Kmwfy-0002Ua-LM for submit@bugs.debian.org; Mon, 06 Oct 2008 21:27:35 +0100 Date: Mon, 6 Oct 2008 21:27:19 +0100 From: Chris Lamb <lamby@debian.org> To: submit@bugs.debian.org Subject: Regression in FastCGI path handling in 1.4.13-4etch11 security upload Message-ID: <20081006212719.2d513ac4@sakaki.chris-lamb.co.uk> X-Mailer: Claws Mail 3.5.0 (GTK+ 2.12.11; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/6w4IZ4CiGvA+ZsmHMv3+1C4"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Delivered-To: submit@bugs.debian.org --Sig_/6w4IZ4CiGvA+ZsmHMv3+1C4 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Package: lighttpd Version: 1.4.13-4etch11 Tags: security Hi, When upgrading from 1.4.13-4etch10 to 1.4.13-4etch11, I noticed that my FastCGI applications were not being passed the correct path. For example, visiting "/foo" would result in the application (NB. not the webserver) reporting a 404 at "/mytab.fcgi/foo". My lighttpd setup is quite simple and mostly copied from the the Django documentation: $SERVER["socket"] =3D=3D "89.16.166.30:443" { ssl.engine =3D "enable" ssl.pemfile =3D "/etc/lighttpd/mytab.pem" =20 $HTTP["host"] =3D~ "^(www\.)?mytab\.co\.uk$" { server.document-root =3D "/srv/mytab.co.uk/htdocs/app/mytab/" =20 url.rewrite-once =3D ( "^(/site_media/.*)$" =3D> "$1", "^(/media/.*)$" =3D> "$1",=20 "^(/.*)$" =3D> "mytab.fcgi$1", ) } } =20 fastcgi.server =3D ( "/mytab.fcgi" =3D> ( ( =20 "socket" =3D> "/srv/mytab.co.uk/htdocs/mysite.sock", "check-local" =3D> "disable", ) =20 ), =20 ) Re-installing lighttpd 1.4.13-4etch10 fixes this issue. Am I misconfiguring FastCGI incorrectly with respect to those changes in this upload?=20 (Tagging as 'security' to alert the uploader, feel free to drop it.) Regards, --=20 ,''`. : :' : Chris Lamb `. `'` lamby@debian.org `- --Sig_/6w4IZ4CiGvA+ZsmHMv3+1C4 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEUEARECAAYFAkjqdKcACgkQ5/8uW2NPmiBODQCgn2N+xZnRW1kKYEt/Vi0dtWrL fnwAlAhsD+OgA0vaNprD8HdnRuYZLuk= =8wXU -----END PGP SIGNATURE----- --Sig_/6w4IZ4CiGvA+ZsmHMv3+1C4-- ]