mahara-contributors team mailing list archive

Thread
Date

[Bug 1626315] Re: Wishlist: Apache-compatible 404 error response page

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date: Tue, 18 Oct 2016 01:33:53 -0000
Reply-to: Bug 1626315 <1626315@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Looking at the Mahara installation guide
https://wiki.mahara.org/wiki/System_Administrator's_Guide/Installing_Mahara#Apache_Configuration
we could add some ErrorDocument lines to that <virtualHost> info and
give instructions on how to set that up to point to relating *.php files
(eg errors/404.php) in Mahara so they can be served maybe.

And then include a bunch of error php files in mahara that can be
served, maybe?

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1626315

Title:
  Wishlist: Apache-compatible 404 error response page

Status in Mahara:
  Confirmed

Bug description:
  Due to receiving a few security reports about it, we've recently re-
  styled the 404 response pages for most of the Mahara project sites.
  The reports we received pointed out that the default Apache 404
  response page prints the url-decoded (but still html-escaped) query
  portion of the URL on the page. This could result in attackers
  printing arbitrary text onto the page, with spaces and such, which
  conceivably could be part of a phishing attack.

  To keep thing simple, we replaced it with a static empty page that
  doesn't include any details about the requested query. However,
  ideally we'd want to print out a page more like Google's 404 page:

  1. Styled in the site's theme
  2. Contains the requested URL, but in a way that clearly sets it apart (i.e., url-encoded so that spaces are transformed into %20, and possibly truncated if it's quite long.)
  3. Maybe translated as well.

  We could achieve this by shipping a PHP script with Mahara, which a
  Mahara site admin could then configure their Apache server to use for
  its 404 error document, via this directive:

  ErrorDocument 404 /errors/404.php

  We might also provide a "sample.htaccess" file, sitting at the top
  level of the project (outside the htdocs directory) to show people how
  to set this up. (We used to include a .htaccess file in Mahara's
  htdocs by default, but this could cause crashes if people were using
  different servers or different versions of Apache).

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1626315/+subscriptions

References

[Bug 1626315] [NEW] Wishlist: Apache-compatible 404 error response page
From: Aaron Wells, 2016-09-21