You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Elizabeth Mattijsen <li...@xxLINK.nl> on 1997/11/23 16:37:59 UTC
Re: mod_rewrite/1440: Rewrite has problems with urls such as
"http://foo/bar//goo.html" (double //'s)
At 09:16 23-11-97 -0700, Marc Slemko wrote:
>All the same, I think this should at least be noted as a possible security
>risk.
>Say people are using mod_rewrite for some sort of access control. It is
>not intuitive that people can bypass it just by adding '/'s.
>> 3. When he wants cleanup any double slashes he has
>> to do so explicitly, for instance via
>> RewriteRule (.*)//+(.*) $1/$2 [next]
That basically means that ANY slash in a RewriteRule should have "/+"
followed by it in order to be sure that the rule will always work. I don't
think you can accept this from webmasters. In my opinion, mod_rewrite
should automatically do a s#//#/#g on any input string.
Even <Location> </Location> takes care of double slashes in URL's properly.
I assume the new LocationMatch does so also, otherwise that might be a
security hole the size you could drive a Mack truck through... ;-(
Elizabeth Mattijsen
xxLINK Internet Services