httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Dalton <steve.dal...@gmail.com>
Subject Re: [users@httpd] How to serve up different content depending on authenticated user
Date Thu, 05 Feb 2009 10:10:29 GMT
Matt - That method didn't work for me... it got into an internal recursion
and bombed out after 10 redirects. I think you do perhaps need to test for
something to stop it going on forever.

Andre - I think you are right... that's why you still need to have a
"Require user <user>" in a seperate directive for each directory.... it's a
pain but the only way I can see it working. I think perhaps you could write
a macro to automatically add this directive for each directory - but I
haven't got into that yet.

Steve

On Thu, Feb 5, 2009 at 6:41 PM, André Warnier <aw@ice-sa.com> wrote:

> Matt McCutchen wrote:
>
>> On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote:
>>
>>> I managed to do something similar in the end, using the prefix user_
>>> for each user directory then adding .htaccess to root dir of:
>>>
>>> AuthType Basic
>>> AuthName "Restricted Files"
>>> AuthUserFile /var/www/passwd/htpasswd
>>> Require valid-user
>>>
>>> RewriteEngine on
>>> RewriteCond $1 !^user_
>>> RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$
>>> RewriteRule (.*) /var/www/accesstest/user_%1/$1 [
>>>
>>> The only problem with this is that any user could access other users
>>> directories... so I then had to add an additional .htaccess of
>>> require user spidie
>>>
>>> to the user_spidie directory... etc etc.
>>>
>>
>> If you put the rewrite rules in the main server configuration rather
>> than an htaccess file, you don't have to worry about them being run
>> multiple times, so you can drop the user_ prefix and condition.  You
>> don't need to condition on %{REMOTE_USER} either because rewrite rules
>> don't run until after the user gains authorization.  The rule I gave
>> earlier (updated for your directory name) should just work:
>>
>> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
>>
>>  (Not trying to be sarcastic here, it's a genuine question)
>
> What happens if Evil Hacker me, logs in as user1 and then request in my
> browser http://foo.com/../user2/index.html ?
> Taken literally, the RewriteRule above should rewrite this as
> /var/www/accesstest/user1/../user2/index.html
> no ?
> Is some other inner security measure stripping that .. somewhere ?
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
I did have a signature, but the dog ate it.

google:steve.dalton | skype:spidieman | msn: msn@steve.dalts.net |
yahoo:daltonsp | aol: spidie100 | twitter: @spidie | mynetfone:09203861

Mime
View raw message