Glitch with custom error pages and contexts

[embed]

Hello, here's how to reproduce the behaviour that I encountered:

1) Create a context for a certain virtual host, using settings like these:

URI: /protected-dir/
Location: protected-dir/
Accessible: Yes
Access Allowed: 123.123.123.123
Access Denied: ALL

2) In the general tab of the vhost settings set a custom error page. I am using a 404 page since it is easy to trigger it. Use similar settings according to what you used in the context above:

URL: /protected-dir/my404.html

3) Now if you request any non-existing resource from an IP different from 123.123.123.123 you'll get a 403.
I was expecting to get my custom 404 since I'm not directly accessing the protected directory.

4) It might be worth noting that if I create a custom file for the 403 error code into the protected directory, and define a custom 403 page like this:

URL: /protected-dir/my403.html

when I ask for a non-existing resource I still get a 403 but with my custom page.


I think that what happens in point 3 should be fixed, since I'm not directly accessing the my404.html file.
This is also an inconsistency with the fact that I can access indirectly the my403.html file in the protected directory.

Let me know if I should provide more info, thanks.

 

[mistwang]

I think the number 4) should be fixed to make it consistant.
If you put anything in a protected directory, the security protection should not be bypassed, so, from an IP different from 123.123.123.123, none of the custom page should be accessible.

For 3), it should show the built-in 404 error page instead of 403, the current behavior is beasue of the special treatment to 404 page to make Rails works, Rails app uses 404 handler as dispatcher.

 

[embed]

I agree that fixing the issue so that the restriction isn't bypassable in any way is the best way to go.
The fact that it won't be possible to put custom error pages in a restricted context is indeed a minor drawback.

Thanks for your time.