httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] How to serve up different content depending on authenticated user
Date Thu, 05 Feb 2009 11:32:44 GMT
On Thu, Feb 5, 2009 at 3:41 AM, André Warnier <aw@ice-sa.com> wrote:
> Matt McCutchen wrote:
>> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
>>
> (Not trying to be sarcastic here, it's a genuine question)
>
> What happens if Evil Hacker me, logs in as user1 and then request in my
> browser http://foo.com/../user2/index.html ?
> Taken literally, the RewriteRule above should rewrite this as
> /var/www/accesstest/user1/../user2/index.html
> no ?
> Is some other inner security measure stripping that .. somewhere ?

In per-vhost rewrite, you've replaced the bit of code that would kick
that request out with a 400 by using rewrite. However,  the ..'s have
still been flattened before the rewrite starts.  You would see a
relative path such as "index.html" as the URI in your rule.

If you had only per-directory rules, the core code that maps URIs to
the filesystem would return 400 before you got to them

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message