httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: REMOTE_USER look-ahead in a "RewriteCond expr" ap_expr
Date Fri, 15 Jun 2012 19:34:22 GMT
On Friday 15 June 2012, Richard Davies wrote:
> I've been trying to test this, and I don't think it works.
> 
> I believe that $1 would be a RewriteRule backreference, whereas we
> would need a RewriteCond backreference %1 here:
> http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#rewritecond

No, the syntax of ap_expr is distinct from the normal RewriteCond's 
syntax. But it seems there is a bit of code missing that would make 
the previous RewriteCond's backreferences available to ap_expr. 
Currently it only works in the other direction.

> When I try those, I get errors like this:
> 
>   RewriteCond: cannot compile expression " %1 -strmatch 'one'":
> Parse error near '%'
> 
> which look to me like %1 isn't supported in ap_expr?

But from your mail, I am not sure if it would actually be a good idea 
to make those backreferences available as $1, ... It would probably be 
rather confusing. I will have to think about a better solution.

> i.e. only a logged in user X can access /X/* and other users get
> 404.
> 
> This is trying to support a very large number of users, specified
> in the htdigest file, each of whom should only be able to access
> their own files.
> 
> Any other mechanism for achieving this kind of per-user directories
> would also be welcome! I don't want to have to write thousands of
> different valid-user statements for each different directory, and
> I can't use mod_authz_owner since the users aren't system users.

Without the return-404 bit, it's not that difficult with 
mod_authz_core alone:

<RequireAny>
   Require user workaround_for_PR_52892
   Require expr "-n %{REMOTE_USER} && %{REQUEST_URI} -strmatch 
'/${REMOTE_USER}/*'
</RequireAny>

Everything but the "Require expr ..." line is a workaround for 
https://issues.apache.org/bugzilla/show_bug.cgi?id=52892

A solution with mod_rewrite is to use another indirection and put the 
looked-ahead user into an envvar (untested):

RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^ - [E=LA_USER:%1]

RewriteCond expr "%{REQUEST_URI} -strmatch '/${reqenv:LA_USER}/*'"
RewriteRule ^ - [R=404]

Mime
View raw message