With Apache 2.2 I was running Mailman's CGI web interface in a VirtualHost which had:
<Directory "/usr/lib/cgi-bin/mailman/">
AssignUserId www-data www-data
AllowOverride None
Options ExecCGI
AddHandler cgi-script .cgi
Order allow,deny
Allow from all
</Directory>
<Directory "/var/lib/mailman/archives/public/">
AssignUserId www-data www-data
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/share/images/mailman/">
AssignUserId www-data www-data
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias "/mailman/" "/usr/lib/cgi-bin/mailman/"
This worked fine. Recently, perhaps after an update to Apache 2.4 in Jessie (2.4.10-10+deb8u7) I am finding that I get no content from Apache. After a lot of head scratching and after debugging mailman (1:2.1.18-2+deb8u1) I find what works is to replace the ScriptAlias with a bunch of ScriptAliasMatch statements and modify Mailman to use REQUEST_URI rather than PATH_INFO since PATH_INFO is undefined. Perhaps that's because I'm ScriptAliasMatch, but if ScriptAliasMatch swallows the trailing path components that would seem to limit its usefulness.
Specifically, I hacked the site to work with the rather inelegant:
<Directory "/usr/lib/cgi-bin/mailman/">
AssignUserId www-data www-data
AllowOverride None
Options ExecCGI
AddHandler cgi-script .cgi
Order allow,deny
Allow from all
</Directory>
<Directory "/var/lib/mailman/archives/public/">
AssignUserId www-data www-data
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/share/images/mailman/">
AssignUserId www-data www-data
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Alias "/mailman/images/" "/usr/share/images/mailman/"
# ScriptAlias "/mailman/" "/usr/lib/cgi-bin/mailman/"
ScriptAliasMatch "/mailman/admin/(.*)" "/usr/lib/cgi-bin/mailman/admin"
ScriptAliasMatch "/mailman/admindb/(.*)" "/usr/lib/cgi-bin/mailman/admindb"
ScriptAliasMatch "/mailman/confirm/(.*)" "/usr/lib/cgi-bin/mailman/confirm"
ScriptAliasMatch "/mailman/create/(.*)" "/usr/lib/cgi-bin/mailman/create"
ScriptAliasMatch "/mailman/edithtml/(.*)" "/usr/lib/cgi-bin/mailman/edithtml"
ScriptAliasMatch "/mailman/listinfo/(.*)" "/usr/lib/cgi-bin/mailman/listinfo"
ScriptAliasMatch "/mailman/options/(.*)" "/usr/lib/cgi-bin/mailman/options"
ScriptAliasMatch "/mailman/private/(.*)" "/usr/lib/cgi-bin/mailman/private"
ScriptAliasMatch "/mailman/rmlist/(.*)" "/usr/lib/cgi-bin/mailman/rmlist"
ScriptAliasMatch "/mailman/roster/(.*)" "/usr/lib/cgi-bin/mailman/roster"
ScriptAliasMatch "/mailman/subscribe/(.*)" "/usr/lib/cgi-bin/mailman/subscribe"
I then patched Mailman's function that uses PATH_INFO to fall back to REQUEST_URI:
def GetPathPieces(envar='PATH_INFO'):
path = os.environ.get(envar)
if path is None:
path = '/'.join(os.environ.get('REQUEST_URI').split('/')[3:]).split('?')[0]
if path:
if CRNLpat.search(path):
path = CRNLpat.split(path)[0]
syslog('error', 'Warning: Possible malformed path attack.')
return [p for p in path.split('/') if p]
return None
I've read the docs on ScriptAlias and mod_cgi, and tried to be sure by adding to my VirtualHost:
AcceptPathInfo on
which didn't help. I've also looked through the extensive apache configuration for this server and didn't find anything that looked relevant.
Also seemingly not relevant but close by is a wordpress .htaccess in the DocumentRoot of the VirtualHost
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
My question is: how do I run an unmodified copy of Debian Jessie Mailman againgst Apache 2.4. Or, have I hit a bug in Apache? The Mailman behavior seems reasonable.
