You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Vadim N. Lyalikov" <va...@yandex.ru> on 2004/11/01 09:43:55 UTC
[users@httpd] escaped input mod_rewrite
>>I have:
>> Already nonescaped url as *input* to mod_rewrite RewriteRule, e.g.
>> .../slash/inside_filename.html
>> I need:
>> Escaped (as it is in REQUEST_URI) url:
>> .../slash%2Finside_filename.html
>
>
>Then just use the %{REQUEST_URI} directly in a RewriteCond and use
>whatever backreferences (%1, %2, etc) you need in the RewriteRule.
>
>Joshua.
Thanks for reply, now:
I have: (file test.php is valid and outputs "Test")
RewriteCond %{REQUEST_URI} ^/b/index.html$ [NC]
RewriteRule ^.*$ http://a/b/test.php [NC]
mozilla: http://a/b/index.html shows test.php output.
But:
RewriteCond %{REQUEST_URI} ^/b/index%20.html$ [NC]
#or RewriteCond %{REQUEST_URI} ^/b/index\%20.html$ [NC]
RewriteRule ^.*$ http://a/b/test.php [NC]
mozilla: http://a/b/index%20.html
#or mozilla: http://a/b/index .html (with whitespace)
results in
Bad Request
Your browser sent a request that this server could not understand.
Apache/1.3.9 Server at br Port 80
I need:
the same as in first letter.
Could you, please, give me RewriteCond example, which can parse URIs
with '%' character inside?
Vadim.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: [OBORONA-SPAM] Re: [users@httpd] escaped input mod_rewrite
Posted by Joshua Slive <js...@gmail.com>.
On Mon, 01 Nov 2004 20:12:46 +0300, Vadim N. Lyalikov
<va...@yandex.ru> wrote:
> I've installed
> Apache/1.3.33 (Win32) PHP/4.3.9 (mod)
> Same results.
> e.g. mod_rewrite_log with index%20.html pattern from last letter:
> 127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (3) [ per-dir .../b]
> strip per-dir prefix: .../b/index .html -> index .html
> 127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (3) [per-dir .../b/]
> applying pattern '^.*$' to uri 'index .html'
> 127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (4) RewriteCond:
> input='/b/index .html' pattern='^/b/index%20.html$' => not-matched
> (note whitespace between 'x' and '.' in 'index .html')
> Also Jeff Trawick said:
> I thought Apache 1.3 would always reject requests with slashes, whether
> or not encoded. (Apache 2.0 has a directive called AllowEncodedSlashes
> (http://httpd.apache.org/docs-2.0/mod/core.html#allowencodedslashes),
> and without setting that Apache 2.0 will reject such a request with
> file-not-found. Apache 1.3 will always reject such a request with
> file-not-found, so even if you get mod_rewrite to encode the slash it
> still won't be acceptable.
> Seems there is no way to have input to RewriteCond or RewriteRule, fully
> escaped with '%'.
Slashes are %2f. You are using%20 which is space. Apache will not
reject those.
Try using the space explictly in your RewriteCond/Rule instead of the
% stuff. Just make sure to surround the argument in quotes so that it
won't be interpreted as two arguments.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] escaped input mod_rewrite
Posted by "Vadim N. Lyalikov" <va...@yandex.ru>.
Hi, Joshua :c) et all.
>>1) generate random string (each symbol can have *any* value - from 0
to 255)
>>...
>>3) create valid (rfc) http url, like
>>http://host.com/path/word/my_escaped_random_string/index.html (my_url)
>>...
>>6)redirect to url like:
>> http://host.com/path/word.php?word_id=my_escaped_random_string
>>
>I don't understand the point of this whole thing, but you really can't
>expect it to work.
>Joshua.
The point of this whole thing is Search_Engine_Friendly URLs.
You may read http://www.sitepoint.com/article/search-engine-friendly-urls
In nutshell: to provide good indexing by spiders
we move each val=var pair *from* query string to path. And if
possible, replace val (often - a number) with it human readable
corresponding value (often - name) , e.g. from database.
As i understood, this is impossible in coommon case: with arbitrary strings.
Thanks for patience.
Vadim.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] escaped input mod_rewrite
Posted by Joshua Slive <js...@gmail.com>.
On Tue, 02 Nov 2004 00:39:08 +0300, Vadim N. Lyalikov
<va...@yandex.ru> wrote:
> Hi, all.
> Sorry for may be confusing you different (but valid) examples in my mails.
> My global wish:
> 1) generate random string (each symbol can have *any* value - from 0 to 255)
> 2) escape all non safe chars in it (thought all, except alphanumeric and
> '_' and '-'). Result - my_escaped_random_string
> 3) create valid (rfc) http url, like
> http://host.com/path/word/my_escaped_random_string/index.html (my_url)
> 4) output this href with this url to UA
> 5) parse request_uri while processing this url:
> mod_rewrite appears at scene
> 6)redirect to url like:
> http://host.com/path/word.php?word_id=my_escaped_random_string
> mod_rewrite do big work and dissapears.
> Trubbles come at stages 5) and 6) - percent symbols ('%') are
> automatically unescaped by apache. Seems at stage 5. And, as you may
> imagine, url in output of stage 6 may look awful, and for sure incorrect
> according to rfc. e.g. string = "?", so we get
> http://host.com/path/word.php?word_id=?. Error. And i want ...?word_id=%3F
> %20 and %2F are just obvious examples.
> Thanks for reply, once more.
I don't understand the point of this whole thing, but you really can't
expect it to work. The stuff in the path is subject to certain
canonicalization rules, so you can't guarantee that you can pass
through arbitrary strings. For example, path segments like ".." might
be collapsed, and encoded slashes will be rejected for security
reasons. You might have better luck passing stuff in the query
string.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] escaped input mod_rewrite
Posted by "Vadim N. Lyalikov" <va...@yandex.ru>.
Hi, all.
Sorry for may be confusing you different (but valid) examples in my mails.
My global wish:
1) generate random string (each symbol can have *any* value - from 0 to 255)
2) escape all non safe chars in it (thought all, except alphanumeric and
'_' and '-'). Result - my_escaped_random_string
3) create valid (rfc) http url, like
http://host.com/path/word/my_escaped_random_string/index.html (my_url)
4) output this href with this url to UA
5) parse request_uri while processing this url:
mod_rewrite appears at scene
6)redirect to url like:
http://host.com/path/word.php?word_id=my_escaped_random_string
mod_rewrite do big work and dissapears.
Trubbles come at stages 5) and 6) - percent symbols ('%') are
automatically unescaped by apache. Seems at stage 5. And, as you may
imagine, url in output of stage 6 may look awful, and for sure incorrect
according to rfc. e.g. string = "?", so we get
http://host.com/path/word.php?word_id=?. Error. And i want ...?word_id=%3F
%20 and %2F are just obvious examples.
Thanks for reply, once more.
Vadim.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: [OBORONA-SPAM] Re: [users@httpd] escaped input mod_rewrite
Posted by "Vadim N. Lyalikov" <va...@yandex.ru>.
I've installed
Apache/1.3.33 (Win32) PHP/4.3.9 (mod)
Same results.
e.g. mod_rewrite_log with index%20.html pattern from last letter:
127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (3) [ per-dir .../b]
strip per-dir prefix: .../b/index .html -> index .html
127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (3) [per-dir .../b/]
applying pattern '^.*$' to uri 'index .html'
127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (4) RewriteCond:
input='/b/index .html' pattern='^/b/index%20.html$' => not-matched
(note whitespace between 'x' and '.' in 'index .html')
Also Jeff Trawick said:
I thought Apache 1.3 would always reject requests with slashes, whether
or not encoded. (Apache 2.0 has a directive called AllowEncodedSlashes
(http://httpd.apache.org/docs-2.0/mod/core.html#allowencodedslashes),
and without setting that Apache 2.0 will reject such a request with
file-not-found. Apache 1.3 will always reject such a request with
file-not-found, so even if you get mod_rewrite to encode the slash it
still won't be acceptable.
Seems there is no way to have input to RewriteCond or RewriteRule, fully
escaped with '%'.
Sad but true :(
Thanks for comments.
Vadim.
>>Could you, please, give me RewriteCond example, which can parse URIs
>>with '%' character inside?
>
>To start with, that version of apache is terminally out-dated. So it
>is practically useless to give any advice.
>
>But even with modern versions, dealing with character escaping in
>mod_rewrite is complicated.
>
>Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] escaped input mod_rewrite
Posted by Joshua Slive <js...@gmail.com>.
On Mon, 01 Nov 2004 11:43:55 +0300, Vadim N. Lyalikov
<va...@yandex.ru> wrote:
> Apache/1.3.9 Server at br Port 80
>
> I need:
> the same as in first letter.
>
> Could you, please, give me RewriteCond example, which can parse URIs
> with '%' character inside?
To start with, that version of apache is terminally out-dated. So it
is practically useless to give any advice.
But even with modern versions, dealing with character escaping in
mod_rewrite is complicated. It is essential to use the RewriteLog to
find out what is really going on. And you may need to match against
the decoded character in some places. (For a space, you'll need to
surround everything in quotes.)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org