[Pkg-nagios-devel] Bug#679476: icinga-cgi: apache config DirectoryMatch contains some subtle critical bugs'

Christoph Anton Mitterer calestyo at scientia.net
Fri Jun 29 22:05:39 UTC 2012


Hi Alexander.

I made some tests on my own Icinga now (with Apache 2.2)...

As I noted before there is something fishy in Apache when making the
regexps safe (by adding a trailing /) and when _directly_ accessing
content on the server. With a trailing / it works, without not although
all this is done on DirectoryMatch (and not LocationMatch) where it
shouldn't matter at all.

Anyway,... all the directories we use:
/usr/share/icinga/htdocs
/usr/lib/cgi-bin/icinga
/etc/icinga/stylesheets
are not "directly" served (i.e. under the vhosts DocumentRoot) but via
Aliase directives... and it seems that the problem from above doesn't
apply then.

So my previous suggestion for a safer (and nanoseconds faster ;-) )
pattern:
"^(?:/usr/share/icinga/htdocs|/usr/lib/cgi-bin/icinga|/etc/icinga/stylesheets)/"
should be ok to use.

I personally consider it more aesthetic to add the trailing / outside of
the (), because then one cannot forget it, if new dirs shall be ever
added to the list.


Oh and it would be great if you could answer, whether these apache
configs are from somewhere at upstream or pure debian :)



Cheers,
Chris.

btw: I guess there's something similar for the Nagios packages? 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6014 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20120630/51890f1b/attachment.bin>


More information about the Pkg-nagios-devel mailing list