httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Gröver <gro...@sitepark.com>
Subject AcceptPathInfo configured, finding out the real URL that is used
Date Thu, 13 Nov 2014 21:50:22 GMT

Hello list,

I am developing a module which should be able to allow or deny access to URLs
based on a database.

I have now found out that with 'AcceptPathInfo on' there are URLs that the
user can access by simply adding a trailing '/' or a trailing '/whatever'.
So the user specifies he wants '/index.php/whatever' and this is not
diallowed in the database, but then he will get /index.php with '/whatever'
added to the PHP script as a path-info field.
This bypasses the security of course.

Is there a way of knowing whether this is in affect or (preferred) is there a
way to find out the real URL that the PHP interpreter will be using at last.

My module runs in the auth_checker phase and in the fixup phase.
I have not found a way yet to determine the really delivered URL instead of
the user given one.


Thank you for your time,

Greetings

-- 
Christoph Gröver, grover@sitepark.com


Mime
View raw message