httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: mod_rewrite/1440: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)
Date Sun, 23 Nov 1997 16:16:30 GMT
All the same, I think this should at least be noted as a possible security
risk.

Say people are using mod_rewrite for some sort of access control.  It is
not intuitive that people can bypass it just by adding '/'s.

On 23 Nov 1997 rse@hyperreal.org wrote:

> [In order for any reply to be added to the PR database, ]
> [you need to include <apbugs@Apache.Org> in the Cc line ]
> [and leave the subject line UNCHANGED.  This is not done]
> [automatically because of the potential for mail loops. ]
> 
> 
> Synopsis: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)
> 
> State-Changed-From-To: analyzed-closed
> State-Changed-By: rse
> State-Changed-When: Sun Nov 23 03:32:26 PST 1997
> State-Changed-Why:
> The user really has to problems. First as Dean said /img
> cannot match ^/img/(.*) and second //img also cannot
> match ^/img/(.*). So 
> 
> 1. mod_rewrite is correct because it does what the
>    has configured. There is no way and no need to
>    any automatic "slash-cleanups". mod_rewrite matches
>    against the given URL as is (as long it still is not 
>    rewritten by a another rewrite rule) 
> 2. When double slashed can occur the user had to
>    change its rewrite rule to ^/+img... as Dean said.
> 3. When he wants cleanup any double slashes he has
>    to do so explicitly, for instance via 
>    RewriteRule (.*)//+(.*)  $1/$2  [next]
> 
> So, this is not a problem of mod_rewrite. 
> Its a matter of correct configuration of the 
> rewrite rules. The URL Rewriting Engine can only do
> what it is configured to do. And it does not more
> and not less...
> 


Mime
View raw message