With Apache 2.2 I was running Mailman's CGI web interface in a VirtualHost which had:
<Directory "/usr/lib/cgi-bin/mailman/"> AssignUserId www-data www-data AllowOverride None Options ExecCGI AddHandler cgi-script .cgi Order allow,deny Allow from all </Directory> <Directory "/var/lib/mailman/archives/public/"> AssignUserId www-data www-data Options FollowSymlinks AllowOverride None Order allow,deny Allow from all </Directory> <Directory "/usr/share/images/mailman/"> AssignUserId www-data www-data AllowOverride None Order allow,deny Allow from all </Directory> ScriptAlias "/mailman/" "/usr/lib/cgi-bin/mailman/" This worked fine. Recently, perhaps after an update to Apache 2.4 in Jessie (2.4.10-10+deb8u7) I am finding that I get no content from Apache. After a lot of head scratching and after debugging mailman (1:2.1.18-2+deb8u1) I find what works is to replace the ScriptAlias with a bunch of ScriptAliasMatch statements and modify Mailman to use REQUEST_URI rather than PATH_INFO since PATH_INFO is undefined. Perhaps that's because I'm ScriptAliasMatch, but if ScriptAliasMatch swallows the trailing path components that would seem to limit its usefulness.
Specifically, I hacked the site to work with the rather inelegant:
<Directory "/usr/lib/cgi-bin/mailman/"> AssignUserId www-data www-data AllowOverride None Options ExecCGI AddHandler cgi-script .cgi Order allow,deny Allow from all </Directory> <Directory "/var/lib/mailman/archives/public/"> AssignUserId www-data www-data Options FollowSymlinks AllowOverride None Order allow,deny Allow from all </Directory> <Directory "/usr/share/images/mailman/"> AssignUserId www-data www-data AllowOverride None Order allow,deny Allow from all </Directory> Alias "/mailman/images/" "/usr/share/images/mailman/" # ScriptAlias "/mailman/" "/usr/lib/cgi-bin/mailman/" ScriptAliasMatch "/mailman/admin/(.*)" "/usr/lib/cgi-bin/mailman/admin" ScriptAliasMatch "/mailman/admindb/(.*)" "/usr/lib/cgi-bin/mailman/admindb" ScriptAliasMatch "/mailman/confirm/(.*)" "/usr/lib/cgi-bin/mailman/confirm" ScriptAliasMatch "/mailman/create/(.*)" "/usr/lib/cgi-bin/mailman/create" ScriptAliasMatch "/mailman/edithtml/(.*)" "/usr/lib/cgi-bin/mailman/edithtml" ScriptAliasMatch "/mailman/listinfo/(.*)" "/usr/lib/cgi-bin/mailman/listinfo" ScriptAliasMatch "/mailman/options/(.*)" "/usr/lib/cgi-bin/mailman/options" ScriptAliasMatch "/mailman/private/(.*)" "/usr/lib/cgi-bin/mailman/private" ScriptAliasMatch "/mailman/rmlist/(.*)" "/usr/lib/cgi-bin/mailman/rmlist" ScriptAliasMatch "/mailman/roster/(.*)" "/usr/lib/cgi-bin/mailman/roster" ScriptAliasMatch "/mailman/subscribe/(.*)" "/usr/lib/cgi-bin/mailman/subscribe" I then patched Mailman's function that uses PATH_INFO to fall back to REQUEST_URI:
def GetPathPieces(envar='PATH_INFO'): path = os.environ.get(envar) if path is None: path = '/'.join(os.environ.get('REQUEST_URI').split('/')[3:]).split('?')[0] if path: if CRNLpat.search(path): path = CRNLpat.split(path)[0] syslog('error', 'Warning: Possible malformed path attack.') return [p for p in path.split('/') if p] return None I've read the docs on ScriptAlias and mod_cgi, and tried to be sure by adding to my VirtualHost:
AcceptPathInfo on which didn't help. I've also looked through the extensive apache configuration for this server and didn't find anything that looked relevant.
Also seemingly not relevant but close by is a wordpress .htaccess in the DocumentRoot of the VirtualHost
# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress My question is: how do I run an unmodified copy of Debian Jessie Mailman againgst Apache 2.4. Or, have I hit a bug in Apache? The Mailman behavior seems reasonable.
OrderandAllowstatements. httpd.apache.org/docs/2.4/upgrading.html