Summary: | www-servers/boa advertises insecure AddType directive | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Sebastian Pipping <sping> |
Component: | Current packages | Assignee: | Michał Górny <mgorny> |
Status: | RESOLVED INVALID | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Sebastian Pipping
2015-03-28 17:03:41 UTC
Could you elaborate a bit, please? I don't see how Apache's AddType applies to boa configuration... Are we dealing with Apache directive names like DefaultType, ScriptAlias, AddType for things that boa implements themselves here? Does "AddType application/x-httpd-cgi cgi" match file "index.cgi.png" (as with Apache), too? I had a look quick at boa source code now (version 0.94.14_rc21-r1). Boa's AddType results in a new type map entry. That entry is compared against the very last file extension, only: extension = strrchr(filename, '.'); if (!extension || extension[1] == '\0') return default_type; ++extension; hash = get_mime_hash_value(extension); current = hash_find(mime_hashtable, extension, hash); return (current ? current->value : default_type); The looked up MIME type is used for two things only: * Comparison to "application/x-httpd-cgi" for CGI execution * Generation of a Content-Type response header So that's both safe and not what Apache is doing. Since Boa has a doc section "Unexpected behavior", I have opened a ticket to ask upstream for documentation of the differences to AddType of Apache: https://sourceforge.net/p/boa/bugs/41/ . Best, Sebastian |