The Artima Developer Community
Sponsored Link

Python Buzz Forum
Discovery: you *can* break out of a set of RewriteRules

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Phillip Pearson

Posts: 1083
Nickname: myelin
Registered: Aug, 2003

Phillip Pearson is a Python hacker from New Zealand
Discovery: you *can* break out of a set of RewriteRules Posted: Jun 9, 2008 3:48 AM
Reply to this message Reply

This post originated from an RSS feed registered with Python Buzz by Phillip Pearson.
Original Post: Discovery: you *can* break out of a set of RewriteRules
Feed Title: Second p0st
Feed URL: http://www.myelin.co.nz/post/rss.xml
Feed Description: Tech notes and web hackery from the guy that brought you bzero, Python Community Server, the Blogging Ecosystem and the Internet Topic Exchange
Latest Python Buzz Posts
Latest Python Buzz Posts by Phillip Pearson
Latest Posts From Second p0st

Advertisement

I'm not sure if this is a new thing in Apache 2.0, or if it's been there all along, as I've never seen anyone use this technique, and I've been looking for something like it for years.

Normally mod_rewrite runs through the set of rules, and if none of them match, it passes the URI on to Apache. If any of them match, it applies the changes, then runs through the rules again. It keeps going until it runs through the rules without any matches. This is often exactly not what you want. For example, let's say you want to dispatcher.php to handle all URIs:

RewriteRule (.*) dispatcher.php/$1

This rewrites foo/bar to dispatcher.php/foo/bar, which then gets rewritten again to dispatcher.php/dispatcher.php/foo/bar, ad nauseaum. The solution here is to add a RewriteCond line preventing anything starting with dispatcher.php/ from being rewritten:

RewriteCond %{REQUEST_URI} ! ^dispatcher.php/
RewriteRule (.*) dispatch.php/$1

This is fine if you run everything through a dispatcher script, but often you'll want to serve static files directly. A common solution is to change the RewriteCond to only rewrite URIs that don't match files in the DocumentRoot:

RewriteCond %{REQUEST_FILENAME} ! -f
RewriteRule (.*) dispatch.php/$1

Then, some of the time you'll realise you've got a whole pile of security holes in your system due to how you've organised your directory tree: instead of storing all your library files outside the DocumentRoot (i.e. if /var/www/mysite/htdocs is the DocumentRoot, your libraries would go in /var/www/mysite/lib, your templates in /var/www/mysite/templates, your database password etc in /var/www/mysite/conf) you've got everything underneath the DocumentRoot, and people can access undesirable files directly. In that case the ! -f rule won't do; instead, you want something that validates that the URL only matches a set of 'safe' patterns, and rejecting everything else.

Here's something that will work (excepting any typos):

# First, add a rule for every valid rewritten URI, pointing nowhere, with [L]
RewriteRule ^([a-z]+\.php)$ - [L]
RewriteRule ^images/ - [L]
RewriteRule ^style/ - [L]
RewriteRule ^script/ - [L]

# Now your rewrites
RewriteRule ^my/([^/]+)$ my.php?action=$1 [L]
RewriteRule ^stuff/([^/]+)$ stuff.php?action=$1 [L]

# And forbid anything else
RewriteRule .* - [F]

The trick here is that the [L] flag normally only terminates mod_rewrite's current pass through the rules, but if a RewriteRule doesn't make any changes and also uses [L], mod_rewrite stops completely and passes the rewritten URL straight back to Apache. Here are some example URLs:

- foobar.php → matches the first rule, passed through as-is.

- images/foo.jpg → matches the second rule, passed through as-is.

- my/profile → matches the fifth rule, rewritten to my.php?action=profile. Then on the second pass through the rules, it matches the first rule and is passed through.

- etc/passwd → matches the final rule, resulting in a 403 response.

Comment

Read: Discovery: you *can* break out of a set of RewriteRules

Topic: git-svn Previous Topic   Next Topic Topic: TG2 Status

Sponsored Links



Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use