httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Ralf S. Engelschall)
Subject mod_rewrite <-> mod_proxy and Security!
Date Fri, 19 Jul 1996 16:27:57 GMT

Now I'm added another feature to the new mod_rewrite (2.0 would it be named
instead of 1.8, because there are two much major changes):

   Forcing a currently generated URI 
   to be put through the proxy module!

Example (mind the P=proxy flag):

   RewriteEngine On
   RewriteRule   ^/apache/(.*)$$1  [P]

This is a more powerful way of mod_proxy's ProxyRemote directive to map
external stuff into the namespace of the local server. More powerful here
does not mean the proxy is better - no, it does only mean you have the power
of regexp to configure this feature (e.g. you can only proxy some specific
files of a directory, etc.)

While this seems a useful feature, perhaps this is a security risk, I think.
Because: In my current implementation it can be also used in per-directory
configuration files (.htaccess) !! E.g. a user could map remote stuff into
its homedir namespace by e.g.

   RewriteEngine On
   RewriteEngine ^hotstuff http://hotstuff/ [P]

Now the question is: 

Is this _REALLY_ a _SECURITY_ problem?

Hmmm.... I can think of situations where this could be a ethical problem, but
I would not declare it as a real security problem. Because: This mod_rewrite
feature does only provide a shorter way to do the trick, I think. I could
write a CGI program instead of using the above directive which calls the
local proxy in the background to archieve the same result.

Any hints and comments to this feature?

BTW: As recently discussed, mod_rewrite directives are _ONLY_ useable
     in .htaccess files if "Option FollowSymLinks" is active.

                                        Ralf S. Engelschall    

View raw message