httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <>
Subject Re: [users@httpd] How to serve up different content depending on authenticated user
Date Thu, 05 Feb 2009 11:32:44 GMT
On Thu, Feb 5, 2009 at 3:41 AM, André Warnier <> wrote:
> Matt McCutchen wrote:
>> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
> (Not trying to be sarcastic here, it's a genuine question)
> What happens if Evil Hacker me, logs in as user1 and then request in my
> browser ?
> Taken literally, the RewriteRule above should rewrite this as
> /var/www/accesstest/user1/../user2/index.html
> no ?
> Is some other inner security measure stripping that .. somewhere ?

In per-vhost rewrite, you've replaced the bit of code that would kick
that request out with a 400 by using rewrite. However,  the ..'s have
still been flattened before the rewrite starts.  You would see a
relative path such as "index.html" as the URI in your rule.

If you had only per-directory rules, the core code that maps URIs to
the filesystem would return 400 before you got to them

Eric Covener

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message