You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@couchdb.apache.org by Anthony Ananich <an...@inpun.com> on 2013/03/20 13:13:01 UTC

_session + vhost + rewrites

Hi!

I'm trying to make _session handler accessible via url like
http://mysite.com/_session while using rewrite rules. I get the
following error:
{"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}

I found that it could be fixed with adding this to an ini file:
[httpd]
secure_rewrites = false

Is there a way to allow _session without disabling secure_rewrites?

Thanks,
Anthony

Re: _session + vhost + rewrites

Posted by Robert Newson <rn...@apache.org>.

Ah, sure, that makes sense :)

On 20 March 2013 12:26, Anthony Ananich <an...@inpun.com> wrote:
> I think I've found an answer. It seems that while using vhost
> /_session handler is available in the root of vhost independent on if
> there are any rewrite rules or not.
>
> I was not able to find any documentation about that, so I'm not sure
> if it is bug or feature :)
>
> On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <rn...@apache.org> wrote:
>> Hm, not without a code change, I think. The secure rewrites setting is
>> to prevent a rewrite jumping between databases. At first glance it
>> does seem an overreach to block a rewrite to _session (and presumably
>> anything else at the top level).
>>
>> B.
>>
>> On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
>>> Hi!
>>>
>>> I'm trying to make _session handler accessible via url like
>>> http://mysite.com/_session while using rewrite rules. I get the
>>> following error:
>>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>>>
>>> I found that it could be fixed with adding this to an ini file:
>>> [httpd]
>>> secure_rewrites = false
>>>
>>> Is there a way to allow _session without disabling secure_rewrites?
>>>
>>> Thanks,
>>> Anthony

Re: _session + vhost + rewrites

Posted by Jeff Charette <io...@yahoo.com>.

+1

Jeff Charette | Principal 
We Are Charette
web / identity / packaging

m  415.298.2707
w  wearecharette.com
e   jeffrey@wearecharette.com

On Mar 20, 2013, at 9:21 AM, Anthony Ananich <an...@inpun.com> wrote:

> Good to know this. Thanks!
> 
> On Wed, Mar 20, 2013 at 3:50 PM, Benoit Chesneau <bc...@gmail.com> wrote:
>> On Wed, Mar 20, 2013 at 5:26 AM, Anthony Ananich
>> <an...@inpun.com> wrote:
>>> I think I've found an answer. It seems that while using vhost
>>> /_session handler is available in the root of vhost independent on if
>>> there are any rewrite rules or not.
>>> 
>>> I was not able to find any documentation about that, so I'm not sure
>>> if it is bug or feature :)
>> 
>> It's a feature, see in the section [httpd] of default.ini:
>> 
>> vhost_global_handlers = _utils, _uuids, _session, _oauth, _users
>> 
>> - benoît
>> 
>> 
>>> 
>>> On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <rn...@apache.org> wrote:
>>>> Hm, not without a code change, I think. The secure rewrites setting is
>>>> to prevent a rewrite jumping between databases. At first glance it
>>>> does seem an overreach to block a rewrite to _session (and presumably
>>>> anything else at the top level).
>>>> 
>>>> B.
>>>> 
>>>> On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
>>>>> Hi!
>>>>> 
>>>>> I'm trying to make _session handler accessible via url like
>>>>> http://mysite.com/_session while using rewrite rules. I get the
>>>>> following error:
>>>>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>>>>> 
>>>>> I found that it could be fixed with adding this to an ini file:
>>>>> [httpd]
>>>>> secure_rewrites = false
>>>>> 
>>>>> Is there a way to allow _session without disabling secure_rewrites?
>>>>> 
>>>>> Thanks,
>>>>> Anthony

Re: _session + vhost + rewrites

Posted by Anthony Ananich <an...@inpun.com>.

Good to know this. Thanks!

On Wed, Mar 20, 2013 at 3:50 PM, Benoit Chesneau <bc...@gmail.com> wrote:
> On Wed, Mar 20, 2013 at 5:26 AM, Anthony Ananich
> <an...@inpun.com> wrote:
>> I think I've found an answer. It seems that while using vhost
>> /_session handler is available in the root of vhost independent on if
>> there are any rewrite rules or not.
>>
>> I was not able to find any documentation about that, so I'm not sure
>> if it is bug or feature :)
>
> It's a feature, see in the section [httpd] of default.ini:
>
> vhost_global_handlers = _utils, _uuids, _session, _oauth, _users
>
> - benoît
>
>
>>
>> On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <rn...@apache.org> wrote:
>>> Hm, not without a code change, I think. The secure rewrites setting is
>>> to prevent a rewrite jumping between databases. At first glance it
>>> does seem an overreach to block a rewrite to _session (and presumably
>>> anything else at the top level).
>>>
>>> B.
>>>
>>> On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
>>>> Hi!
>>>>
>>>> I'm trying to make _session handler accessible via url like
>>>> http://mysite.com/_session while using rewrite rules. I get the
>>>> following error:
>>>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>>>>
>>>> I found that it could be fixed with adding this to an ini file:
>>>> [httpd]
>>>> secure_rewrites = false
>>>>
>>>> Is there a way to allow _session without disabling secure_rewrites?
>>>>
>>>> Thanks,
>>>> Anthony

Re: _session + vhost + rewrites

Posted by Benoit Chesneau <bc...@gmail.com>.

On Wed, Mar 20, 2013 at 5:26 AM, Anthony Ananich
<an...@inpun.com> wrote:
> I think I've found an answer. It seems that while using vhost
> /_session handler is available in the root of vhost independent on if
> there are any rewrite rules or not.
>
> I was not able to find any documentation about that, so I'm not sure
> if it is bug or feature :)

It's a feature, see in the section [httpd] of default.ini:

vhost_global_handlers = _utils, _uuids, _session, _oauth, _users

- benoît


>
> On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <rn...@apache.org> wrote:
>> Hm, not without a code change, I think. The secure rewrites setting is
>> to prevent a rewrite jumping between databases. At first glance it
>> does seem an overreach to block a rewrite to _session (and presumably
>> anything else at the top level).
>>
>> B.
>>
>> On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
>>> Hi!
>>>
>>> I'm trying to make _session handler accessible via url like
>>> http://mysite.com/_session while using rewrite rules. I get the
>>> following error:
>>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>>>
>>> I found that it could be fixed with adding this to an ini file:
>>> [httpd]
>>> secure_rewrites = false
>>>
>>> Is there a way to allow _session without disabling secure_rewrites?
>>>
>>> Thanks,
>>> Anthony

Re: _session + vhost + rewrites

Posted by Anthony Ananich <an...@inpun.com>.

I think I've found an answer. It seems that while using vhost
/_session handler is available in the root of vhost independent on if
there are any rewrite rules or not.

I was not able to find any documentation about that, so I'm not sure
if it is bug or feature :)

On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <rn...@apache.org> wrote:
> Hm, not without a code change, I think. The secure rewrites setting is
> to prevent a rewrite jumping between databases. At first glance it
> does seem an overreach to block a rewrite to _session (and presumably
> anything else at the top level).
>
> B.
>
> On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
>> Hi!
>>
>> I'm trying to make _session handler accessible via url like
>> http://mysite.com/_session while using rewrite rules. I get the
>> following error:
>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>>
>> I found that it could be fixed with adding this to an ini file:
>> [httpd]
>> secure_rewrites = false
>>
>> Is there a way to allow _session without disabling secure_rewrites?
>>
>> Thanks,
>> Anthony

Re: _session + vhost + rewrites

Posted by Robert Newson <rn...@apache.org>.

Hm, not without a code change, I think. The secure rewrites setting is
to prevent a rewrite jumping between databases. At first glance it
does seem an overreach to block a rewrite to _session (and presumably
anything else at the top level).

B.

On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
> Hi!
>
> I'm trying to make _session handler accessible via url like
> http://mysite.com/_session while using rewrite rules. I get the
> following error:
> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>
> I found that it could be fixed with adding this to an ini file:
> [httpd]
> secure_rewrites = false
>
> Is there a way to allow _session without disabling secure_rewrites?
>
> Thanks,
> Anthony