|
Home > Archive > Apache Mod-Python > September 2006 > Bizarre behavior with util.redirect() and mod_autoindex
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Bizarre behavior with util.redirect() and mod_autoindex
|
|
| Mike Glover 2006-09-16, 1:15 pm |
|
I'm working on an OpenID access control using mod_python. As part of the OpenID protocol, our code redirects (302) attempted access to a login page. Works Great.
However. If I try to use mod_autoindex to view a directory, and some of the files in that directory have OpenID access control enabled, I get a page that looks like the attached image.
What's Happening? mod_autoindex is spawning an internal subrequest for each file in the directory. For the access controlled files, util.redirect() is being called as part of that subrequest. util.redirect() automatically outputs the 'the document has
moved here' language directly to the client.
I solved this in our app by not generating the 302 if req.main != None. I don't think I should have to worry about that (though I'm willing to be convinced). util.redirect() should recognize the internal request and not write output to the client.
I'll happily submit a patch against util.py if folks here think it helpful.
-mike
-mike
| |
| Graham Dumpleton 2006-09-16, 1:15 pm |
| Do you have the DirectoryIndex directive defined explicitly or inherited
from outer scope? What handler phase are you defining your mod_python
handler in?
Graham
Mike Glover wrote ..
>
> I'm working on an OpenID access control using mod_python. As part of the
> OpenID protocol, our code redirects (302) attempted access to a login page.
> Works Great.
>
> However. If I try to use mod_autoindex to view a directory, and some of
> the files in that directory have OpenID access control enabled, I get a
> page that looks like the attached image.
>
> What's Happening? mod_autoindex is spawning an internal subrequest for
> each file in the directory. For the access controlled files, util.redirect()
> is being called as part of that subrequest. util.redirect() automatically
> outputs the 'the document has moved here' language directly to the client.
>
> I solved this in our app by not generating the 302 if req.main != None.
> I don't think I should have to worry about that (though I'm willing to
> be convinced). util.redirect() should recognize the internal request and
> not write output to the client.
>
> I'll happily submit a patch against util.py if folks here think it helpful.
>
> -mike
>
> -mike
| |
| Graham Dumpleton 2006-09-16, 1:15 pm |
| Still answer the questions, but you might also be getting impacted by:
http://issues.apache.org/jira/browse/MODPYTHON-140
This is fixed in mod_python 3.3, but not in 3.2.10.
Graham
Graham Dumpleton wrote ..[vbcol=seagreen]
> Do you have the DirectoryIndex directive defined explicitly or inherited
> from outer scope? What handler phase are you defining your mod_python
> handler in?
>
> Graham
>
> Mike Glover wrote ..
> the
> page.
> of
> a
> and
| |
| Mike Glover 2006-09-16, 1:15 pm |
| Graham-
Thanks for the reply.
I have DirectoryIndex inherited from httpd.conf.
The handler is a PythonHandler.
Read the link you sent later -- I'm not clueful enough yet to know if that's biting me (it seems to only apply to the earlier handlers, no?) -- but yes, we are running 3.2.10.
-mike
On Thu, 14 Sep 2006 18:05:56 -0400
"Graham Dumpleton" <grahamd@dscpl.com.au> wrote:
> Do you have the DirectoryIndex directive defined explicitly or inherited
> from outer scope? What handler phase are you defining your mod_python
> handler in?
>
> Graham
>
> Mike Glover wrote ..
>
>
| |
| Graham Dumpleton 2006-09-16, 1:15 pm |
| If you are using PythonHandler then and not an earlier phase, I don't
understand why your handler is being called in the first place then for
those files. Which means of creating a sub request is mod_autoindex
using? I was presuming that it would be using the means of doing a
sub request which only runs up to the fixup handler phase and would
not actually run the response handler itself. This would ensure that
any access, authentication, authorisation, type matching stuff would
be done which I would have thought been enough for mod_autoindex
to get the information it may want. After all, why would it need the
actual content to be returned as it would muck up the results as you
are seeing.
Looking up the code I actually see that mod_autoindex is using the
function ap_sub_req_lookup_uri() which as I suspects, shouldn't result
in the response handler itself being run. Thus, your PythonHandler
shouldn't be getting called as a result of mod_autoindex.
There thus has to be something else which is causing your handler
to be triggered.
Mike Glover wrote ..[vbcol=seagreen]
> Graham-
>
> Thanks for the reply.
>
> I have DirectoryIndex inherited from httpd.conf.
>
> The handler is a PythonHandler.
>
> Read the link you sent later -- I'm not clueful enough yet to know if that's
> biting me (it seems to only apply to the earlier handlers, no?) -- but
> yes, we are running 3.2.10.
>
> -mike
>
> On Thu, 14 Sep 2006 18:05:56 -0400
> "Graham Dumpleton" <grahamd@dscpl.com.au> wrote:
>
> of the
> page.
> of
> a
> for
> client.
> to
> and
> helpful.
| |
| Graham Dumpleton 2006-09-16, 1:15 pm |
| Hmmm, mod_autoindex also does:
if (ap_run_sub_req(rr) != OK) {
/* It didn't work */
emit_amble = suppress_amble;
emit_H1 = 1;
}
but why?
So it is forcing something through to the response handler phase, but what.
Graham
Mike Glover wrote ..[vbcol=seagreen]
> Graham-
>
> Thanks for the reply.
>
> I have DirectoryIndex inherited from httpd.conf.
>
> The handler is a PythonHandler.
>
> Read the link you sent later -- I'm not clueful enough yet to know if that's
> biting me (it seems to only apply to the earlier handlers, no?) -- but
> yes, we are running 3.2.10.
>
> -mike
>
> On Thu, 14 Sep 2006 18:05:56 -0400
> "Graham Dumpleton" <grahamd@dscpl.com.au> wrote:
>
> of the
> page.
> of
> a
> for
> client.
> to
> and
> helpful.
| |
| Graham Dumpleton 2006-09-16, 1:15 pm |
| Sorry for spamming the list with so many quick messages, I'll stop
now. One more question first though.
How are you causing the PythonHandler to be triggered? Are you
using SetHandler/AddHandler or some other configuration. It would
help perhaps if you post your actual Apache configuration snippet
for the directory concerned.
Graham
Graham Dumpleton wrote ..[vbcol=seagreen]
> If you are using PythonHandler then and not an earlier phase, I don't
> understand why your handler is being called in the first place then for
> those files. Which means of creating a sub request is mod_autoindex
> using? I was presuming that it would be using the means of doing a
> sub request which only runs up to the fixup handler phase and would
> not actually run the response handler itself. This would ensure that
> any access, authentication, authorisation, type matching stuff would
> be done which I would have thought been enough for mod_autoindex
> to get the information it may want. After all, why would it need the
> actual content to be returned as it would muck up the results as you
> are seeing.
>
> Looking up the code I actually see that mod_autoindex is using the
> function ap_sub_req_lookup_uri() which as I suspects, shouldn't result
> in the response handler itself being run. Thus, your PythonHandler
> shouldn't be getting called as a result of mod_autoindex.
>
> There thus has to be something else which is causing your handler
> to be triggered.
>
> Mike Glover wrote ..
> that's
> some
> get
> None.
| |
| Mike Glover 2006-09-16, 1:15 pm |
| Graham-
Here's the snippet out of .htaccess that's calling the handler:
<Files "bar.html">
PythonAccessHandler mpopenid::requireOpenIDAuth
PythonOption allowed-users "mike.glover.myopenid.com
</Files>
As you can see, I was wrong about it being a PythonHandler -- I was looking at a different section of the file and got confused. So I may be affected by the bug you posted, after all.
-mike
On Thu, 14 Sep 2006 19:29:24 -0400
"Graham Dumpleton" <grahamd@dscpl.com.au> wrote:
> Sorry for spamming the list with so many quick messages, I'll stop
> now. One more question first though.
>
> How are you causing the PythonHandler to be triggered? Are you
> using SetHandler/AddHandler or some other configuration. It would
> help perhaps if you post your actual Apache configuration snippet
> for the directory concerned.
>
>
| |
| Graham Dumpleton 2006-09-16, 1:15 pm |
| Mike Glover wrote ..
> Graham-
>
> Here's the snippet out of .htaccess that's calling the handler:
>
> <Files "bar.html">
> PythonAccessHandler mpopenid::requireOpenIDAuth
> PythonOption allowed-users "mike.glover.myopenid.com
> </Files>
>
> As you can see, I was wrong about it being a PythonHandler -- I was looking
> at a different section of the file and got confused. So I may be affected
> by the bug you posted, after all.
Having done some playing, my advice would be to turn off Indexes so
that mod_autoindex is never used in the first place. For all I can tell, it
acts like a spamming device that could cause much havoc if one is
using handlers other than the response handlers. The results could be
varied, but if session management is being done from authentication
handlers, it may cause lockups quite easily depending on how the
handlers are written.
The problem is that for every subdirectory and then every file in those
subdirectories, it will run all handler phases up to the fixup handler
phase. Thus it will trigger access, authentication, etc handlers. I can
only think it is doing it for stuff in the subdirectories to determine if
anything in the subdirectories is accessible and thus whether the actual
subdirectory should be displayed. This is a pretty brute force way of
doing it though.
What is more annoying is that I cant find a way by interrogating either
req.notes, or req.main.handler to determine if the sub request is being
triggered by mod_autoindex. Thus one couldn't easily protect against
just it. If one just bails if req.main is set, you could stop other things
from working and you would have to be very careful.
So, my recommendation would be that rather than try and code your
handler to cope with what mod_autoindex does, simply disable the
mod_autoindex module and use hand constructed index files. I just
can't believe how nasty what it does is.
Graham
|
|
|
|
|