httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] mod_rewrite match POST data
Date Tue, 22 Jul 2008 18:10:54 GMT
mdn teo wrote:
> Hi, I have a question about mod_rewrite.
> 
> I want to deny access if the variables included in the GET or the POST are
> matching a defined string
> 
> this is what I use:
> --------
> RewriteCond %{REQUEST_METHOD} ^(GET|POST)$ [NC]
> RewriteCond %{QUERY_STRING} (myvariable=xxx123) [NC]
> RewriteRule .*? - [F]
> --------
> 
> This is working, but only for GET:
> -------- GET
> /site/file.php?var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123
> --------
> the query_string is matched and everything is working fine as mod_rewrite is
> condisering:
> QUERY_STRING=var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123
> 
> This is not working for the POST, as checking the HTTP-Headres, I see that
> the made POST is something like this:
> -------- POST /site/file.php? HTTP/1.1
> Host: myhost.example.com
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.0.1)
> Gecko/2008070208 Firefox/3.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: <deleted by me in this email>
> Cookie: <deleted by me in this email>
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 156
> var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123
> --------
> 
> so, QUERY_STRING="", and I can't check the content of the POST.
> Is there a way with mod_rewrite to verify and match the content of the POST?
> 

If nobody else provides a positive answer to your liking :
Using mod_perl (and maybe also with something else), you could have a 
small module that converts POSTs to GETs.  It basically would read the 
POST parameters, append them to the incoming URL, and change the 
internal request method from POST to GET.  If it does this early enough 
in the cycle, your mod_rewrite logic would then see a GET.
Here is an example, taken originally from the CPAN module 
Apache2::AuthCookie :

sub _convert_to_get {
     my ($self, $r, $args) = @_;
     return unless $r->method eq 'POST';

     # CGI->Vars() returns the parameter list as a tied hash ref.
     # In this hash, multi-valued parameters are represented by strings,
     # in which multiple values are separated by a binary null byte.
     # The following splits them.
     my @pairs =();
     while (my ($name, $value) = each %$args) {
         # we dont want to copy login data, only extra data
         next if ($name =~ m/^log_(target|id|pass)$/);
         $value = '' unless defined $value;
         for my $v (split /\0/, $value) {
             push @pairs, escape_uri($r, $name) . '=' . escape_uri($r, $v);
         }
     }

     $r->args(join '&', @pairs) if scalar(@pairs) > 0;
     $r->method('GET');
     $r->method_number(M_GET);
     $r->headers_in->unset('Content-Length');
}

André


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message