httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 33092] - URL manipulation filters do not differ
Date Fri, 14 Jan 2005 19:06:17 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=33092>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=33092





------- Additional Comments From sambukkaa@hotmail.com  2005-01-14 20:06 -------
Ok, It seems that I haven’t express myself  or better to say the problem well.

I will try to explain it again.

My intension is to extract a string from a php file that could only be called 
from another php file residing in the same directory.
The files would look something like this:

This is the content of the caller file :
<?
…. Bla bla bla…
$str=include "http://localhost/secured.php";
?>

the hidden file: [secured.php] contains this:

<? return ("This should be hidden and could be called only from caller.php");?>


now, Knowing that it is an internal file, the server actually should recognize 
it
and the URL manipulation functions should not alter this URL: 
http://localhost/secured.php
since it is an internal inclusion has nothing to do with external visitors.
Therefore, whoever would call this file from outside, would have to access the 
secured.php file by calling the URL to it, something like this: http://
[HOST]/secured.php

Now the next step would be to manipulate the  http://[HOST]/secured.php in 
something else in order to prevent external calls to it.

I have tried to use the apache URL manipulation options. 
They all work but they also manipulate the  http://localhost/secured.php URL 
which must stay the way it was.
This shouldn’t happen and I believe that it is a bug or the concept is simply 
wrong.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message