You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Ralf S. Engelschall" <rs...@engelschall.com> on 1996/07/19 18:27:57 UTC
mod_rewrite <-> mod_proxy and Security!
Now I'm added another feature to the new mod_rewrite (2.0 would it be named
instead of 1.8, because there are two much major changes):
Forcing a currently generated URI
to be put through the proxy module!
Example (mind the P=proxy flag):
RewriteEngine On
RewriteRule ^/apache/(.*)$ http://www.apache.org/$1 [P]
This is a more powerful way of mod_proxy's ProxyRemote directive to map
external stuff into the namespace of the local server. More powerful here
does not mean the proxy is better - no, it does only mean you have the power
of regexp to configure this feature (e.g. you can only proxy some specific
files of a directory, etc.)
While this seems a useful feature, perhaps this is a security risk, I think.
Because: In my current implementation it can be also used in per-directory
configuration files (.htaccess) !! E.g. a user could map remote stuff into
its homedir namespace by e.g.
RewriteEngine On
RewriteEngine ^hotstuff http://hotstuff/ [P]
Now the question is:
Is this _REALLY_ a _SECURITY_ problem?
Hmmm.... I can think of situations where this could be a ethical problem, but
I would not declare it as a real security problem. Because: This mod_rewrite
feature does only provide a shorter way to do the trick, I think. I could
write a CGI program instead of using the above directive which calls the
local proxy in the background to archieve the same result.
Any hints and comments to this feature?
BTW: As recently discussed, mod_rewrite directives are _ONLY_ useable
in .htaccess files if "Option FollowSymLinks" is active.
Greetings,
Ralf S. Engelschall
rse@engelschall.com
http://www.engelschall.com/~rse