httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <>
Subject Re: Fwd: Mis-configured Rewrite Rule Exposed Filesystem
Date Thu, 15 Sep 2011 14:55:34 GMT
On Thu, Sep 15, 2011 at 10:35 AM, William A. Rowe Jr.
<> wrote:
>> We have done update on Apache server from 2.0.x to 2.2.x. Afterwards, the root filesystem
>> was exposed to public. The root cause was the following misconfigured rewrite rule:
>>     RewriteRule ^(.*) $1  [E=ORDNER:X,E=TOMCAT:http://10.x.x.x/X]
> Is there something here to be fixed w.r.t. the documentation about
> rewriterule syntax changed when upgrading?

IIUC It's not a 2.2-ism, it's ancient.  Most people report as a 403
just as if you added an Alias without adding a <Directory> section to
punch a hole for it.

Rewrite assumes you meant to substitute uri-to-file when the prefix
exists in the filesystem.  For this particular user, The correct rule
would not substitute at all (-) when they just want to set envvars.

Sniff tested on a 2.0 build and confirmed it is not a migration issue / 2.2-ism.

sf wanted to fork RewriteRule into a flavor that never guessed if you
meant to provide a URL or a File for 2.4, and take the oppty to unload
some other baggage with the new flavors. I am +1 to that for 2.4 (even
2.4.>0) since we'd leave RewriteRule intact.

Eric Covener

View raw message