You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Vadim N. Lyalikov" <va...@yandex.ru> on 2004/11/01 18:12:46 UTC
[users@httpd] Re: [OBORONA-SPAM] Re: [users@httpd] escaped input mod_rewrite
I've installed
Apache/1.3.33 (Win32) PHP/4.3.9 (mod)
Same results.
e.g. mod_rewrite_log with index%20.html pattern from last letter:
127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (3) [ per-dir .../b]
strip per-dir prefix: .../b/index .html -> index .html
127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (3) [per-dir .../b/]
applying pattern '^.*$' to uri 'index .html'
127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (4) RewriteCond:
input='/b/index .html' pattern='^/b/index%20.html$' => not-matched
(note whitespace between 'x' and '.' in 'index .html')
Also Jeff Trawick said:
I thought Apache 1.3 would always reject requests with slashes, whether
or not encoded. (Apache 2.0 has a directive called AllowEncodedSlashes
(http://httpd.apache.org/docs-2.0/mod/core.html#allowencodedslashes),
and without setting that Apache 2.0 will reject such a request with
file-not-found. Apache 1.3 will always reject such a request with
file-not-found, so even if you get mod_rewrite to encode the slash it
still won't be acceptable.
Seems there is no way to have input to RewriteCond or RewriteRule, fully
escaped with '%'.
Sad but true :(
Thanks for comments.
Vadim.
>>Could you, please, give me RewriteCond example, which can parse URIs
>>with '%' character inside?
>
>To start with, that version of apache is terminally out-dated. So it
>is practically useless to give any advice.
>
>But even with modern versions, dealing with character escaping in
>mod_rewrite is complicated.
>
>Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: [OBORONA-SPAM] Re: [users@httpd] escaped input mod_rewrite
Posted by Joshua Slive <js...@gmail.com>.
On Mon, 01 Nov 2004 20:12:46 +0300, Vadim N. Lyalikov
<va...@yandex.ru> wrote:
> I've installed
> Apache/1.3.33 (Win32) PHP/4.3.9 (mod)
> Same results.
> e.g. mod_rewrite_log with index%20.html pattern from last letter:
> 127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (3) [ per-dir .../b]
> strip per-dir prefix: .../b/index .html -> index .html
> 127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (3) [per-dir .../b/]
> applying pattern '^.*$' to uri 'index .html'
> 127.0.0.1 - - [01/Nov/2004:19:57:18 +0300] ... (4) RewriteCond:
> input='/b/index .html' pattern='^/b/index%20.html$' => not-matched
> (note whitespace between 'x' and '.' in 'index .html')
> Also Jeff Trawick said:
> I thought Apache 1.3 would always reject requests with slashes, whether
> or not encoded. (Apache 2.0 has a directive called AllowEncodedSlashes
> (http://httpd.apache.org/docs-2.0/mod/core.html#allowencodedslashes),
> and without setting that Apache 2.0 will reject such a request with
> file-not-found. Apache 1.3 will always reject such a request with
> file-not-found, so even if you get mod_rewrite to encode the slash it
> still won't be acceptable.
> Seems there is no way to have input to RewriteCond or RewriteRule, fully
> escaped with '%'.
Slashes are %2f. You are using%20 which is space. Apache will not
reject those.
Try using the space explictly in your RewriteCond/Rule instead of the
% stuff. Just make sure to surround the argument in quotes so that it
won't be interpreted as two arguments.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] escaped input mod_rewrite
Posted by "Vadim N. Lyalikov" <va...@yandex.ru>.
Hi, Joshua :c) et all.
>>1) generate random string (each symbol can have *any* value - from 0
to 255)
>>...
>>3) create valid (rfc) http url, like
>>http://host.com/path/word/my_escaped_random_string/index.html (my_url)
>>...
>>6)redirect to url like:
>> http://host.com/path/word.php?word_id=my_escaped_random_string
>>
>I don't understand the point of this whole thing, but you really can't
>expect it to work.
>Joshua.
The point of this whole thing is Search_Engine_Friendly URLs.
You may read http://www.sitepoint.com/article/search-engine-friendly-urls
In nutshell: to provide good indexing by spiders
we move each val=var pair *from* query string to path. And if
possible, replace val (often - a number) with it human readable
corresponding value (often - name) , e.g. from database.
As i understood, this is impossible in coommon case: with arbitrary strings.
Thanks for patience.
Vadim.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] escaped input mod_rewrite
Posted by Joshua Slive <js...@gmail.com>.
On Tue, 02 Nov 2004 00:39:08 +0300, Vadim N. Lyalikov
<va...@yandex.ru> wrote:
> Hi, all.
> Sorry for may be confusing you different (but valid) examples in my mails.
> My global wish:
> 1) generate random string (each symbol can have *any* value - from 0 to 255)
> 2) escape all non safe chars in it (thought all, except alphanumeric and
> '_' and '-'). Result - my_escaped_random_string
> 3) create valid (rfc) http url, like
> http://host.com/path/word/my_escaped_random_string/index.html (my_url)
> 4) output this href with this url to UA
> 5) parse request_uri while processing this url:
> mod_rewrite appears at scene
> 6)redirect to url like:
> http://host.com/path/word.php?word_id=my_escaped_random_string
> mod_rewrite do big work and dissapears.
> Trubbles come at stages 5) and 6) - percent symbols ('%') are
> automatically unescaped by apache. Seems at stage 5. And, as you may
> imagine, url in output of stage 6 may look awful, and for sure incorrect
> according to rfc. e.g. string = "?", so we get
> http://host.com/path/word.php?word_id=?. Error. And i want ...?word_id=%3F
> %20 and %2F are just obvious examples.
> Thanks for reply, once more.
I don't understand the point of this whole thing, but you really can't
expect it to work. The stuff in the path is subject to certain
canonicalization rules, so you can't guarantee that you can pass
through arbitrary strings. For example, path segments like ".." might
be collapsed, and encoded slashes will be rejected for security
reasons. You might have better luck passing stuff in the query
string.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] escaped input mod_rewrite
Posted by "Vadim N. Lyalikov" <va...@yandex.ru>.
Hi, all.
Sorry for may be confusing you different (but valid) examples in my mails.
My global wish:
1) generate random string (each symbol can have *any* value - from 0 to 255)
2) escape all non safe chars in it (thought all, except alphanumeric and
'_' and '-'). Result - my_escaped_random_string
3) create valid (rfc) http url, like
http://host.com/path/word/my_escaped_random_string/index.html (my_url)
4) output this href with this url to UA
5) parse request_uri while processing this url:
mod_rewrite appears at scene
6)redirect to url like:
http://host.com/path/word.php?word_id=my_escaped_random_string
mod_rewrite do big work and dissapears.
Trubbles come at stages 5) and 6) - percent symbols ('%') are
automatically unescaped by apache. Seems at stage 5. And, as you may
imagine, url in output of stage 6 may look awful, and for sure incorrect
according to rfc. e.g. string = "?", so we get
http://host.com/path/word.php?word_id=?. Error. And i want ...?word_id=%3F
%20 and %2F are just obvious examples.
Thanks for reply, once more.
Vadim.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org