[Bug 947744] [NEW] $ anchor doesn't work in Directory ~ regexp

jimav 947744 at bugs.launchpad.net
Tue Mar 6 05:30:05 UTC 2012

Public bug reported:

$ (end-of-line anchor) seems to break regular expressions with the
Directory config directive.

The $ is not being treated literally, but it is not ignored either.  If
present, it seems to completely prevent matching.

Steps to demonstrate:
1. Create the following test files in your tree (e.g. under /var/www/somewhere):

       echo "should be protected" > foo.BAK
       mkdir dir.BAK
       echo "should be protected" >dir.BAK/file
       echo "should be readable" > french.BAKERY

2.  Add to /etc/apache2/apache2.conf:

# This is intended to prevent access to any *.BAK (or contents, if directory)
# Note: We are using a regular expression, not wildcard syntax, and there is
# no initial ^ anchor.   Therefore it should match at the tail of any path.
<Directory ~ "\.BAK$">
    Order allow,deny
    Deny from all
    Satisfy all

3. sudo /etc/init.d/apache2 restart

4. Try to access the files.   
wget -O- http://localhost/somewhere/foo.BAK    # should get permission denied, but succeeds
wget -O- http://localhost/somewhere/dir.BAK/file   # should get permission denied, but succeeds
wget -O- http://localhost/somewhere/french.BAKERY  # succeeds
wget -O- http://localhost/somewhere/'foo.BAK$'   #  fails, proving the $ does not match literally

5.  Remove the trailing "$" from the Directory ~ regex in apache2.conf,
and restart the server

6. Test again:
wget -O- http://localhost/somewhere/foo.BAK    # permission denied as expected
wget -O- http://localhost/somewhere/dir.BAK/file   # permission denied as expected
wget -O- http://localhost/somewhere/french.BAKERY  # should succeed, but FAILS (because the regexp is not anchored at the end)

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: apache2 2.2.20-1ubuntu1.2
ProcVersionSignature: Ubuntu 3.0.0-16.28-generic 3.0.17
Uname: Linux 3.0.0-16-generic x86_64
NonfreeKernelModules: fglrx
Apache2ConfdDirListing: ['other-vhosts-access-log', 'localized-error-pages', 'security', 'charset']
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Mon Mar  5 21:08:07 2012
InstallationMedia: Xubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
 PATH=(custom, user)
SourcePackage: apache2
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apache2.apache2.conf: [modified]
mtime.conffile..etc.apache2.apache2.conf: 2012-03-05T21:07:48.481293

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New

** Tags: amd64 apport-bug oneiric

You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.

  $ anchor doesn't work in Directory ~ regexp

To manage notifications about this bug go to:

More information about the Ubuntu-server-bugs mailing list