Glitch with custom error pages and contexts

Discussion in 'Bug Reports' started by embed, Feb 28, 2008.

  1. embed

    embed Member

    Hello, here's how to reproduce the behaviour that I encountered:

    1) Create a context for a certain virtual host, using settings like these:

    URI: /protected-dir/
    Location: protected-dir/
    Accessible: Yes
    Access Allowed:
    Access Denied: ALL

    2) In the general tab of the vhost settings set a custom error page. I am using a 404 page since it is easy to trigger it. Use similar settings according to what you used in the context above:

    URL: /protected-dir/my404.html

    3) Now if you request any non-existing resource from an IP different from you'll get a 403.
    I was expecting to get my custom 404 since I'm not directly accessing the protected directory.

    4) It might be worth noting that if I create a custom file for the 403 error code into the protected directory, and define a custom 403 page like this:

    URL: /protected-dir/my403.html

    when I ask for a non-existing resource I still get a 403 but with my custom page.

    I think that what happens in point 3 should be fixed, since I'm not directly accessing the my404.html file.
    This is also an inconsistency with the fact that I can access indirectly the my403.html file in the protected directory.

    Let me know if I should provide more info, thanks.
  2. mistwang

    mistwang LiteSpeed Staff

    I think the number 4) should be fixed to make it consistant.
    If you put anything in a protected directory, the security protection should not be bypassed, so, from an IP different from, none of the custom page should be accessible.

    For 3), it should show the built-in 404 error page instead of 403, the current behavior is beasue of the special treatment to 404 page to make Rails works, Rails app uses 404 handler as dispatcher.
  3. embed

    embed Member

    I agree that fixing the issue so that the restriction isn't bypassable in any way is the best way to go.
    The fact that it won't be possible to put custom error pages in a restricted context is indeed a minor drawback.

    Thanks for your time.

Share This Page