Bug 36231

In message <200203231444.g2NEirb65049@wwweasel.geeksrus.net>, Alan 
Eldridge wri
tes:
> 
> >Number:         36231
> >Category:       ports
> >Synopsis:       www/apache13: relative URL targets now invalid in Redirect*;
>  very astonishing website breakage ensues
> >Confidential:   no
> >Severity:       critical
> >Priority:       high
> >Responsible:    freebsd-ports
> >State:          open
> >Quarter:        
> >Keywords:       
> >Date-Required:
> >Class:          sw-bug
> >Submitter-Id:   current-users
> >Arrival-Date:   Sat Mar 23 06:50:01 PST 2002
> >Closed-Date:
> >Last-Modified:
> >Originator:     Alan Eldridge
> >Release:        FreeBSD 4.5-STABLE i386
> >Organization:
> Geeksrus.NET
> >Environment:
> System: FreeBSD wwweasel.geeksrus.net 4.5-STABLE FreeBSD 4.5-STABLE #0: Mon M
> ar 11 00:59:22 EST 2002 root@wwweasel.geeksrus.net:/usr/obj/usr/src/sys/WWWEA
> SEL i386
> >Description:
> 
> I updated to the new apache13 port and there's an implementation
> change that caused massive breakage to one of my local websites: the
> target URL of a Redirect* directive can no longer be a relative URL;
> it must be absolute.
> 
> Suggest this update should be backed out, as it has the potential to break 
> many websites badly.
> 
> This change is documented by comparing the htdocs/manual/mod/mod_alias.html 
> files between 1.3.23 and 1.3.24.
> 
> Here's the new restriction:
> 
> Note: Redirect directives take precedence over Alias and ScriptAlias
> directives, irrespective of their ordering in the configuration
> file. Also, URL-path must be an absolute path, not a relative path,
> even when used with .htaccess files or inside of <Directory> sections.
> 
> >How-To-Repeat:
> 
> [alane ~/public_html/gronk]$ cat willie_nile/.htaccess
> <Files index.html>
>  RedirectMatch .* golden_down.html
> </Files>
> [alane ~/public_html/gronk]$
> 
> This redirection no longer works as of the upgrade. It must be rewritten as:
> 
> <Files index.html>
>  RedirectMatch (.*)/.* $1/golden_down.html
> </Files>
> 
> or else this error occurs:
> 
> [Sat Mar 23 08:57:25 2002] [error] [client 127.0.0.1] cannot redirect '/~alan
> e/gronk/willie_nile/index.html' to 'golden_down.html'; target is not a valid 
> absoluteURI or abs_path
> 
> >Fix:
> 
> Preferred:
> 
> Back out this update.
> 
> Alternate:
> 
> Add documentation of this change (pkg-message) and a knob to the Makefile 
> that *must* be supplied in order to install the port.
> >Release-Note:
> >Audit-Trail:
> >Unformatted:

This was changed in mod_alias.c 1.46:  Fix RedirectMatch so it won't 
emit invalid Location fields.

http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_al
ias.c.diff?r1=1.45&r2=1.46

I haven't done an exhaustive search, however the very little searching 
I did do (Saturday morning change window in 1/2 hour and I still have 
to shower before I go to work), I did not find any discussion about 
this on the web.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team      Email:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, CITS
Ministry of Management Services
Province of BC            
                    FreeBSD UNIX:  cy@FreeBSD.org

Comment 2 Patrick Li 2002-03-23 22:13:42 UTC

Responsible Changed
From-To: freebsd-ports->ache

Over to maintainer

Comment 3 Andrey A. Chernov 2002-03-24 08:35:25 UTC

State Changed
From-To: open->closed

Fix your website instead. 
Relative URLs in Redirect: are standard violation, see RFC 2068

On Sun, Mar 24, 2002 at 12:38:03AM -0800, ache@FreeBSD.org wrote: 

>State-Changed-Why: 
>Fix your website instead.
>Relative URLs in Redirect: are standard violation, see RFC 2068

I concede that backing out the update is *extreme*. However, I
disagree with closing the PR without any action at all.

Don't you think a pkg-message about the change woule be nice? Some sites
are generated by software, and when it breaks for no apparent reason,
it's a real PITA to track down. 

Even if the site *is* technically broken, and it worked before the 
update and not after, that's a harsh way to find out that files you 
didn't write are now considered to be in error?

I'm thinking of the non-programmer confronted with this situation.
Once I tracked down what the problem was, this was easy fix to one
perl script for me. But I'm a professional developer; how much pain
would this cause to someone who doesn't have that skill set?

-- 
AlanE
"When the going gets weird, the weird turn pro." - HST

On Sun, Mar 24, 2002 at 03:58:44 -0500, Alan Eldridge wrote:

> Don't you think a pkg-message about the change woule be nice? Some sites
> are generated by software, and when it breaks for no apparent reason,
> it's a real PITA to track down. 

It is already perfectly described in Apache CHANGELOG. It is not 
pkg-message intention to reflect CHANGELOG. 

If you want to change this behaviour, talk to Apache maintainers instead,
this is _port_ and not separate development effort.

-- 
Andrey A. Chernov
http://ache.pp.ru/

On Sun, Mar 24, 2002 at 12:09:02PM +0300, Andrey A. Chernov wrote:
>On Sun, Mar 24, 2002 at 03:58:44 -0500, Alan Eldridge wrote:
>
>> Don't you think a pkg-message about the change woule be nice? Some sites
>> are generated by software, and when it breaks for no apparent reason,
>> it's a real PITA to track down. 
>
>It is already perfectly described in Apache CHANGELOG. It is not 
>pkg-message intention to reflect CHANGELOG. 

Q: Where is the changelog information available to someone to installs
a prebuilt binary package? A: It is not included in the package.

If the documentation had been correct, that it must be an absolute
URL, and only the code had been too permissive, then it would be
different. But the documentation for 1.3.23 didn't specify the
requirement, either. 

From the user's perspective, and the perspective of the 1.3.23 docs,
a relative URL was *OK* in RedirectMatch; this is a new requirement for 
RedirectMatch that did not exist in the previous version, and that 
can break working websites. 

It *is* pkg-message's intent to warn of possible problems, among other
things. Why do you argue against warning the user that the upgrade may
break working websties? 

This *is* a ports issue. We (FBSD) provide binary packages. We provide
the build infrastructure (ports tree). It is inappropriate for us to 
know about a potential problem caused by a port upgrade and deliberately 
not tell the user installing the port anything about it.

-- 
AlanE
"When the going gets weird, the weird turn pro." - HST

Further background: RedirectMatch appeared in 1.3a1. Restriction on
target being absolute URL was neither introduced nor documented until
1.3.24. 

This is not a minor bugfix. This is a change to code and documents that
have been in place for 4.5 YEARS. 

Please reopen PR. I'll create a pkg-message patch if you don't want to
be bothered, so all you have to do is commit it.

-- 
AlanE
"When the going gets weird, the weird turn pro." - HST

On Sun, Mar 24, 2002 at 04:32:29 -0500, Alan Eldridge wrote:

> different. But the documentation for 1.3.23 didn't specify the
> requirement, either. 

This requirement is specified in HTTP standard. Apache docs not supposed
to include all appropriate standards copies.

> It *is* pkg-message's intent to warn of possible problems, among other
> things. Why do you argue against warning the user that the upgrade may
> break working websties? 

Well, send me pkg-message which as you think describe this situation
enough and I'll commit it.

-- 
Andrey A. Chernov
http://ache.pp.ru/

On Sun, Mar 24, 2002 at 04:43:05 -0500, Alan Eldridge wrote:

> This is not a minor bugfix. This is a change to code and documents that
> have been in place for 4.5 YEARS. 

Read HTTP standard which describe correct variant for years. Websites must 
relay on standards and not on undocumented httpd features.

-- 
Andrey A. Chernov
http://ache.pp.ru/

On Sun, Mar 24, 2002 at 01:09:18PM +0300, Andrey A. Chernov wrote:
>On Sun, Mar 24, 2002 at 04:32:29 -0500, Alan Eldridge wrote:
>This requirement is specified in HTTP standard. Apache docs not supposed
>to include all appropriate standards copies.
FWIW When this hit me, I looked at the existing (now failing) files
and thought that older apache saw the relative URL and Did The Right Thing
with it, and I wondered why they took that nice feature out.

>Well, send me pkg-message which as you think describe this situation
>enough and I'll commit it.
Thanks. I've made this as brief and to-the-point as I can. I've also 
alerted the author of the app in question (Jamie Zawinski, of original-
Netscape fame) of the change and supplied a patch to him.
==8<===8<===8<===8<===8<===8<===8<===8<===8<===8<===8<===8<=
Index: www/apache13/Makefile
===================================================================
RCS file: /home/alane/cvsup-ports/cvsroot/ports/www/apache13/Makefile,v
retrieving revision 1.107
diff -u -3 -r1.107 Makefile
--- www/apache13/Makefile	23 Mar 2002 05:40:31 -0000	1.107
+++ www/apache13/Makefile	24 Mar 2002 13:09:11 -0000
@@ -79,5 +79,6 @@
 		${ECHO} "Installing ${PREFIX}/etc/rc.d/apache.sh startup file."; \
 		${INSTALL_SCRIPT} -m 751 ${FILESDIR}/apache.sh ${PREFIX}/etc/rc.d/apache.sh; \
 	fi
+	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.mk>
Index: www/apache13/pkg-message
===================================================================
RCS file: www/apache13/pkg-message
diff -N www/apache13/pkg-message
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ www/apache13/pkg-message	24 Mar 2002 13:18:00 -0000
@@ -0,0 +1,4 @@
+===>  COMPATIBILITY NOTE:
+      As of version 1.3.24, the RedirectMatch directive requires an
+      absolute URL target location per RFC 2068. Uses of RedirectMatch that
+      specify a relative URL will fail and must be corrected to function.
==8<===8<===8<===8<===8<===8<===8<===8<===8<===8<===8<===8<=
-- 
AlanE
"When the going gets weird, the weird turn pro." - HST