Bug 1444151
Summary: | Apache webserver allows kind of "Content Spoofing" using default error pages | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Robert Scheck <redhat-bugzilla> |
Component: | httpd | Assignee: | Luboš Uhliarik <luhliari> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | aogburn, jorton, luhliari, robert.scheck |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-05-19 07:45:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Scheck
2017-04-20 17:30:02 UTC
Cross-filed case 01835054 on the Red Hat customer portal. Robert, thanks for the report. I'm reluctant to change the defaults here. a) Looking through the code, the URL is included in the default (hard-coded) response body for a wide variety of HTTP error responses. https://github.com/apache/httpd/blob/trunk/modules/http/http_protocol.c#L949 Depending on the config, it will be more or less trivial for users to get a response which includes the URL for other canned error responses too. I don't want to patch all of that out and deviate from upstream behaviour unless we have good motivation. b) It's actually useful to include this content in many of those errors; not doing so is really only playing to security theatre. c) It's trivial to change the behaviour for 404 if you really do want this, a one liner: ErrorDocument 404 "404 Not Found" would suffice. Development Management has reviewed and declined this request. You may appeal this decision by reopening this request. |