httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Fritsch">
Subject RE: "RewriteRule ... /$1" considered harmful
Date Fri, 15 Apr 2011 11:22:01 GMT
On Fri, April 15, 2011 11:34, "Plüm, Rüdiger, VF-Group" wrote:
>> RewriteRule ^/some/old/path/(.*)$ /$1
>> in his httpd config, in order to redirect some paths that are now
>> available directly under the document root. This has the problem that
>> mod_rewrite guesses if the substituted path is an URL or an
>> absoulte local
>> path by looking at the first component of the substitution
>> result. With
>> the above rule, this first component is controlled by the client which
>> causes security issues. For example,
>> http://servername/some/old/path/etc/passwd
>> does actually result in /etc/passwd being delivered to the client.
> I doubt that this would work with the recommended
> <Directory />
> deny from all
> </Directory>
> setting.

True, but this is often a PITA to use with complex auth configs. This will
improve with the new authz merging in 2.4, but I still think mod_rewrite
should behave more predictable. After all, some RewriteRule that works
perfectly well can stop working just because of a new directory being
created in /. Even if access to the new directory is forbidden, this is
still disruptive.

>> My first idea for saner semantics would be:
>> - Don't try to guess what the user meant. Instead, treat the
>> substitution
>> as URI unless some new option ([LOCALPATH]?) is given for the rule. In
>> this case, look for file system paths only.
>> - Add a new option for RewriteOptions to restore the old
>> guessing behaviour.
>> What do you think?
> IMHO that would be a dramatic change in behaviour. mod_rewrite was always
> a map to storage (or uri to file) provider and mapping to different URL's
> was only an additional
> feature.
> OTOH I admit that I mostly use mod_rewrite this way.

My impression is that mapping to different URLs is by far the more
frequent use case, but I may be wrong. A different idea would be

- Create new directives RewriteToPath, RewriteToURL that don't do guessing.
- Document clearly the problems that may be caused by the guessing
behaviour of RewriteRule. Maybe even mark RewriteRule as deprecated in


View raw message