httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@engelschall.com (Ralf S. Engelschall)
Subject Re: mod_rewrite/1440: Rewrite has problems with urls such as
Date Sun, 23 Nov 1997 19:14:15 GMT

In article <3.0.1.16.19971123173759.4db74cc2@mail.xxLINK.nl> you wrote:
> At 09:16 23-11-97 -0700, Marc Slemko wrote:

>>All the same, I think this should at least be noted as a possible security
>>risk.
>>Say people are using mod_rewrite for some sort of access control.  It is
>>not intuitive that people can bypass it just by adding '/'s.
>>> 3. When he wants cleanup any double slashes he has
>>>    to do so explicitly, for instance via 
>>>    RewriteRule (.*)//+(.*)  $1/$2  [next]

> That basically means that ANY slash in a RewriteRule should have "/+"
> followed by it in order to be sure that the rule will always work.  I don't
> think you can accept this from webmasters.  In my opinion, mod_rewrite
> should automatically do a s#//#/#g on any input string.

> Even <Location> </Location> takes care of double slashes in URL's properly.
>  I assume the new LocationMatch does so also, otherwise that might be a
> security hole the size you could drive a Mack truck through...  ;-(

Mod_rewrite is an URL rewriting engine, directly operating on the given URL
via rules specified by the user. So, it does only what it is configured to do.
Automatically cleaning up URLs is not good, I think. When someone really
wants this he can easily add the above ruleset to its config.

What does the RFCs say? Is an URL with double slashes equal to the one with
only one slashes? When yes, then - ok - we should make sure even the URL
rewriting engine automatically does the cleanup. If not, we should not do it.

                                       Ralf S. Engelschall
                                       rse@engelschall.com
                                       www.engelschall.com

Mime
View raw message