Bug#467480: apache2: default autoindex.conf uses bomb icon for file called score

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#467480: apache2: default autoindex.conf uses bomb icon for file called score
From: Edward Welbourne <eddy@opera.com>
Date: Mon, 25 Feb 2008 20:39:56 +0100
Message-id: <[🔎] 20080225193956.27668.26145.reportbug@whorl>
Reply-to: eddy@opera.com, 467480@bugs.debian.org

Package: apache2
Version: 2.2.8-1
Severity: minor
Tags: patch


I saw occasional files and directories showing up with a bomb icon; I
guessed they were broken symlinks or some such glitch, but closer
investigation revealed no problem.  Eventually, I noticed their names
all ended in "core" and guessed what was happening.  Sure enough,
AddIcon is tested as a wild-card or a suffix of the name, so deems
(for example) score to be a match for core, so displays it as a bomb.
Likewise dual-core, quad-core and so on.

<patch>

--- /etc/apache2/mods-available/autoindex.conf.orig	2008-01-17 21:13:45.000000000 +0100
+++ /etc/apache2/mods-available/autoindex.conf	2008-02-25 20:19:01.000000000 +0100
@@ -36,7 +36,8 @@
 AddIcon /icons/uuencoded.gif .uu
 AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
 AddIcon /icons/tex.gif .tex
-AddIcon /icons/bomb.gif core
+# It's a suffix rule, so simply matching "core" matches "score" as well !
+AddIcon /icons/bomb.gif /core
 AddIcon (SND,/icons/sound2.gif) .ogg
 AddIcon (VID,/icons/movie.gif) .ogm
 
</patch>

To my mild surprise, I found that matching isn't only done on the name
of the file (relative to its directory); it includes enough of the
path that /core does indeed match a file called simply "core".
So it proved easy enough to fix the problem :-)

The documentation at
/doc/apache2-doc/manual/en/mod/mod_autoindex.html#addicon
is also, consequently, mildly inaccurate when it ends the list of
things that name can be with "or a complete filename."  It's always
matched against suffixes, so the only way to make it *only* match as a
complete filename is to include a leading / (and I don't know whether
there are any limitations on that).

Ideally, there'd be some way to ensure the AddIcon rule for the bomb
would only match a *file* named (exactly) core; a directory of the
same name should just be displayed as a directory.  However, I
couldn't immediately see how to fix that and don't happen to have any
directories with this name in my local webspace, so didn't look
harder.

-- Package-specific info:
Config file syntax check failed.
List of /etc/apache2/mods-enabled/*.load:
  alias auth_basic authn_file authnz_ldap authz_default authz_host
  authz_user autoindex cgid dir* env ldap mime negotiation perl
  setenvif ssl status userdir
  (A * means that the .conf file for that module is not enabled in
   /etc/apache2/mods-enabled/)

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.ISO-8859-15, LC_CTYPE=en_GB.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2 depends on:
ii  apache2-mpm-worker            2.2.8-1    High speed threaded model for Apac

apache2 recommends no packages.

-- no debconf information

Reply to:

Prev by Date: post files onto ssl client cert secured site
Next by Date: Re: post files onto ssl client cert secured site
Previous by thread: Re: post files onto ssl client cert secured site
Next by thread: Bug#467254: installation-reports: Hangs when parametering ssl-cert
Index(es):
- Date
- Thread