Bug#151744: apache2-common: nested <!--#if --> SSI directives are misparsed in apache 2
Package: apache2-common
Version: 2.0.37-2
Severity: normal
If you nest a pair of <!--#if --> SSI directives on a page and then
serve that page with Apache 2.0.x, the statements will be mistakenly
parsed.
This is a test page I used to play around with to demonstrate this
error. It mentions version 2.0.35, but this problem still occurs in
2.0.37.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en">
<head>
<title>Test Of Nested SSI #if Statements In Apache 2.0.35</title>
</head>
<body>
<p>This is a test page.</p>
<p><!-- #set var="FOO" value="1" -->The current value of "FOO" is: <!--#echo var="FOO" --></p>
<p><!-- #set var="BAR" value="1" -->The current value of "BAR" is: <!--#echo var="BAR" --></p>
<p><!-- #set var="BAZ" value="1" -->The current value of "BAZ" is: <!--#echo var="BAZ" --></p>
<p> </p>
<!--#if expr="$FOO" -->
<p>This paragraph indicates the start of the #if when FOO is set.
<br />This will only show up on an Apache 2.0.35 server if FOO is set. This is correct behavior.</p>
<!--#if expr="$BAR" -->
<p>This paragraph shows when both FOO and BAR are set.
<br />As you can see, though, it shows up on an Apache 2.0.35 server even if only BAR is set.</p>
<!--#elif expr="$BAZ" -->
<p>This paragraph shows when both FOO and BAZ are set.
<br />As you can see, though, it shows up on an Apache 2.0.35 server even if only BAZ is set.</p>
<!--#else -->
<p>This paragraph shows when only FOO is set.
<br />If no other variables are set, this will show up on an Apache 2.0.35 server, even if FOO itself is not set.</p>
<!--#endif -->
<p>This paragraph indicates the end of the #if when FOO is set.
<br />If FOO is unset, this should not show up. But as you can see, it always shows up on an Apache 2.0.35 server, due to the #else above it.</p>
<!--#endif -->
<p> </p>
<p>This is the end of the test.</p>
</body>
</html>
As the variables are set above, serving this page with Apache 2.0.37
gets the following results:
This is a test page.
The current value of "FOO" is: (none)
The current value of "BAR" is: (none)
The current value of "BAZ" is: (none)
This paragraph shows when only FOO is set.
If no other variables are set, this will show up on an Apache
2.0.35 server, even if FOO itself is not set.
This paragraph indicates the end of the #if when FOO is set.
If FOO is unset, this should not show up. But as you can see, it
always shows up on an Apache 2.0.35 server, due to the #else
above it.
This is the end of the test.
Apache 1.3.26 properly gives this result:
This is a test page.
The current value of "FOO" is: (none)
The current value of "BAR" is: (none)
The current value of "BAZ" is: (none)
This is the end of the test.
I'm almost completely certain that this is an upstream bug, but I'm not
absolutely sure.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux d-ni 2.4.17 #1 Fri Jun 28 18:18:24 EDT 2002 i686
Locale: LANG=C, LC_CTYPE=
Versions of packages apache2-common depends on:
ii debconf 1.1.14 Debian configuration management sy
ii debianutils 1.16.3 Miscellaneous utilities specific t
ii libapr0 2.0.37-2 The Apache Portable Runtime
ii libc6 2.2.5-7 GNU C Library: Shared libraries an
ii libexpat1 1.95.2-6 XML parsing C library - runtime li
ii libssl0.9.6 [libssl096] 0.9.6d-1 SSL shared libraries
ii zlib1g 1:1.1.4-1 compression library - runtime
-- no debconf information
--
To UNSUBSCRIBE, email to debian-apache-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: