[users@httpd] mod_rewrite match POST data

[mdn teo <md...@gmail.com>]

Hi, I have a question about mod_rewrite.

I want to deny access if the variables included in the GET or the POST are
matching a defined string

this is what I use:
--------
RewriteCond %{REQUEST_METHOD} ^(GET|POST)$ [NC]
RewriteCond %{QUERY_STRING} (myvariable=xxx123) [NC]
RewriteRule .*? - [F]
--------

This is working, but only for GET:
-------- GET
/site/file.php?var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123
--------
the query_string is matched and everything is working fine as mod_rewrite is
condisering:
QUERY_STRING=var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123

This is not working for the POST, as checking the HTTP-Headres, I see that
the made POST is something like this:
-------- POST /site/file.php? HTTP/1.1
Host: myhost.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.0.1)
Gecko/2008070208 Firefox/3.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: <deleted by me in this email>
Cookie: <deleted by me in this email>
Content-Type: application/x-www-form-urlencoded
Content-Length: 156
var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123
--------

so, QUERY_STRING="", and I can't check the content of the POST.
Is there a way with mod_rewrite to verify and match the content of the POST?

Re: [users@httpd] mod_rewrite match POST data

[Eric Covener <co...@gmail.com>]

On Tue, Jul 22, 2008 at 6:04 AM, mdn teo <md...@gmail.com> wrote:

> Is there a way with mod_rewrite to verify and match the content of the POST?

No, but maybe something like mod_security can.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_rewrite match POST data

[André Warnier <aw...@ice-sa.com>]

mdn teo wrote:
> Hi, I have a question about mod_rewrite.
> 
> I want to deny access if the variables included in the GET or the POST are
> matching a defined string
> 
> this is what I use:
> --------
> RewriteCond %{REQUEST_METHOD} ^(GET|POST)$ [NC]
> RewriteCond %{QUERY_STRING} (myvariable=xxx123) [NC]
> RewriteRule .*? - [F]
> --------
> 
> This is working, but only for GET:
> -------- GET
> /site/file.php?var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123
> --------
> the query_string is matched and everything is working fine as mod_rewrite is
> condisering:
> QUERY_STRING=var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123
> 
> This is not working for the POST, as checking the HTTP-Headres, I see that
> the made POST is something like this:
> -------- POST /site/file.php? HTTP/1.1
> Host: myhost.example.com
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.0.1)
> Gecko/2008070208 Firefox/3.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: <deleted by me in this email>
> Cookie: <deleted by me in this email>
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 156
> var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123
> --------
> 
> so, QUERY_STRING="", and I can't check the content of the POST.
> Is there a way with mod_rewrite to verify and match the content of the POST?
> 

If nobody else provides a positive answer to your liking :
Using mod_perl (and maybe also with something else), you could have a 
small module that converts POSTs to GETs.  It basically would read the 
POST parameters, append them to the incoming URL, and change the 
internal request method from POST to GET.  If it does this early enough 
in the cycle, your mod_rewrite logic would then see a GET.
Here is an example, taken originally from the CPAN module 
Apache2::AuthCookie :

sub _convert_to_get {
     my ($self, $r, $args) = @_;
     return unless $r->method eq 'POST';

     # CGI->Vars() returns the parameter list as a tied hash ref.
     # In this hash, multi-valued parameters are represented by strings,
     # in which multiple values are separated by a binary null byte.
     # The following splits them.
     my @pairs =();
     while (my ($name, $value) = each %$args) {
         # we dont want to copy login data, only extra data
         next if ($name =~ m/^log_(target|id|pass)$/);
         $value = '' unless defined $value;
         for my $v (split /\0/, $value) {
             push @pairs, escape_uri($r, $name) . '=' . escape_uri($r, $v);
         }
     }

     $r->args(join '&', @pairs) if scalar(@pairs) > 0;
     $r->method('GET');
     $r->method_number(M_GET);
     $r->headers_in->unset('Content-Length');
}

André


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org