You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2011/10/05 17:36:56 UTC
svn commit: r1179266 - /httpd/httpd/trunk/docs/manual/rewrite/flags.xml
Author: jorton
Date: Wed Oct 5 15:36:56 2011
New Revision: 1179266
URL: http://svn.apache.org/viewvc?rev=1179266&view=rev
Log:
- add a security warning, and tweak the example, in light of CVE-2011-3368
Modified:
httpd/httpd/trunk/docs/manual/rewrite/flags.xml
Modified: httpd/httpd/trunk/docs/manual/rewrite/flags.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/rewrite/flags.xml?rev=1179266&r1=1179265&r2=1179266&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/rewrite/flags.xml (original)
+++ httpd/httpd/trunk/docs/manual/rewrite/flags.xml Wed Oct 5 15:36:56 2011
@@ -482,7 +482,7 @@ example, if you wanted all image request
image server, you might do something like the following:</p>
<example>
-RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
+RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P]
</example>
<p>Use of the [P] flag implies [L] - that is, the request is immediately
@@ -498,6 +498,15 @@ more powerful implementation of the <dir
module="mod_proxy">ProxyPass</directive> directive,
to map remote content into the namespace of the local server.</p>
+<note type="warning">
+<title>Security Warning</title>
+<p>Take care when constructing the target URL of the rule, considering
+the security impact from allowing the client influence over the set of
+URLs to which your server will act as a proxy. Ensure that the scheme
+and hostname part of the URL is either fixed, or does not allow the
+client undue influence.</p>
+</note>
+
<p>Note: <module>mod_proxy</module> must be enabled in order
to use this flag.</p>