httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Mitchell" <reduc...@askmiky.com>
Subject [users@httpd] Things in the manual, which aren't what they should be?
Date Fri, 17 Oct 2003 04:40:04 GMT
Hi,

I've just been reading over the rewriteguide for 2.0:
http://httpd.apache.org/docs-2.0/misc/rewriteguide.html

I am no perl guru, but the following block of code, at the bottom of the
page:

@pairs = split(/&/, $ENV{'QUERY_STRING'});
foreach $pair (@pairs) {
    ($name, $value) = split(/=/, $pair);
    $name =~ tr/A-Z/a-z/;
    $name = 'QS_' . $name;
    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
    eval "\$$name = \"$value\"";
}

Wouldn't that be insecure, because users could, break out of the quote
marks, and do things like system("rm -rf /") and other things?

Also < is &amp;lt; rather then &lt; so its showing up wrong. Look at:

print "&lt;b&gt;ERROR&lt;/b&gt;: File $QS_f not found\n";

and

for ($n = 0; $n &lt; $QS_n; $n++) {


Users copying and pasting it, with out looking are going to get errors.

Also on that same page, I haven't tested it, but would this work:

#   backward compatibility ruleset for
#   rewriting document.html to document.phtml
#   when and only when document.phtml exists
#   but no longer document.html
RewriteEngine on
RewriteBase   /~quux/
#   parse out basename, but remember the fact
RewriteRule   ^(.*)\.html$              $1      [C,E=WasHTML:yes]
#   rewrite to document.phtml if exists
RewriteCond   %{REQUEST_FILENAME}.phtml -f
RewriteRule   ^(.*)$ $1.phtml                   [S=1]
#   else reverse the previous basename cutout
RewriteCond   %{ENV:WasHTML}            ^yes$
RewriteRule   ^(.*)$ $1.html


Look closely at the following line:
RewriteCond   %{REQUEST_FILENAME}.phtml -f

Isn't this going to test for the file.html.phtml rather then file.phtml ?

Thanks,
James Mitchell



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message