Re: mod_rewrite/1440: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)

[Marc Slemko <ma...@znep.com>]

All the same, I think this should at least be noted as a possible security
risk.

Say people are using mod_rewrite for some sort of access control.  It is
not intuitive that people can bypass it just by adding '/'s.

On 23 Nov 1997 rse@hyperreal.org wrote:

> [In order for any reply to be added to the PR database, ]
> [you need to include <ap...@Apache.Org> in the Cc line ]
> [and leave the subject line UNCHANGED.  This is not done]
> [automatically because of the potential for mail loops. ]
> 
> 
> Synopsis: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)
> 
> State-Changed-From-To: analyzed-closed
> State-Changed-By: rse
> State-Changed-When: Sun Nov 23 03:32:26 PST 1997
> State-Changed-Why:
> The user really has to problems. First as Dean said /img
> cannot match ^/img/(.*) and second //img also cannot
> match ^/img/(.*). So 
> 
> 1. mod_rewrite is correct because it does what the
>    has configured. There is no way and no need to
>    any automatic "slash-cleanups". mod_rewrite matches
>    against the given URL as is (as long it still is not 
>    rewritten by a another rewrite rule) 
> 2. When double slashed can occur the user had to
>    change its rewrite rule to ^/+img... as Dean said.
> 3. When he wants cleanup any double slashes he has
>    to do so explicitly, for instance via 
>    RewriteRule (.*)//+(.*)  $1/$2  [next]
> 
> So, this is not a problem of mod_rewrite. 
> Its a matter of correct configuration of the 
> rewrite rules. The URL Rewriting Engine can only do
> what it is configured to do. And it does not more
> and not less...
> 

Re: mod_rewrite/1440: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)

[Elizabeth Mattijsen <li...@xxLINK.nl>]

At 09:16 23-11-97 -0700, Marc Slemko wrote:
>All the same, I think this should at least be noted as a possible security
>risk.
>Say people are using mod_rewrite for some sort of access control.  It is
>not intuitive that people can bypass it just by adding '/'s.
>> 3. When he wants cleanup any double slashes he has
>>    to do so explicitly, for instance via 
>>    RewriteRule (.*)//+(.*)  $1/$2  [next]

That basically means that ANY slash in a RewriteRule should have "/+"
followed by it in order to be sure that the rule will always work.  I don't
think you can accept this from webmasters.  In my opinion, mod_rewrite
should automatically do a s#//#/#g on any input string.

Even <Location> </Location> takes care of double slashes in URL's properly.
 I assume the new LocationMatch does so also, otherwise that might be a
security hole the size you could drive a Mack truck through...  ;-(


Elizabeth Mattijsen
xxLINK Internet Services

Re: mod_rewrite/1440: Rewrite has problems with urls such as "http://foo/bar//goo.html" (double //'s)

[Dean Gaudet <dg...@arctic.org>]

Could you describe how and when double / could be removed while not
screwing up mod_rewrite functionality?  I don't think they can.  Consider: 

    RewriteRule /clicklog/(.*) $1 [R]

and <http://yourplace.com/clicklog/http://somewhereelse.com/foo>.  This is
a valid operation which could be used for logging ad banner clickthroughs.

Note also that AliasMatch does *not* collapse double slashes.  (And hence
neither does RedirectMatch.)

DirectoryMatch/Directory do collapse double slashes because they implement
filesystem semantics.  DirectoryMatch/Directory in their "special" mode
(i.e. proxy:*) do not collapse double slashes (neither does Directory in
this case) because it is operating on URIs directly, where double-slashes
are valid. 

LocationMatch/Location do collapse double slashes, but I consider this to
be a bug.  They are documented to work in the URI space, not in the
filespace. 

RFC1738, RFC1808, and Roy's new draft appear silent on the issue. 

Dean

On Sun, 23 Nov 1997, Marc Slemko wrote:

> All the same, I think this should at least be noted as a possible security
> risk.
> 
> Say people are using mod_rewrite for some sort of access control.  It is
> not intuitive that people can bypass it just by adding '/'s.