You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by James Mitchell <re...@askmiky.com> on 2003/10/17 06:40:04 UTC

[users@httpd] Things in the manual, which aren't what they should be?

Hi,

I've just been reading over the rewriteguide for 2.0:
http://httpd.apache.org/docs-2.0/misc/rewriteguide.html

I am no perl guru, but the following block of code, at the bottom of the
page:

@pairs = split(/&/, $ENV{'QUERY_STRING'});
foreach $pair (@pairs) {
    ($name, $value) = split(/=/, $pair);
    $name =~ tr/A-Z/a-z/;
    $name = 'QS_' . $name;
    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
    eval "\$$name = \"$value\"";
}

Wouldn't that be insecure, because users could, break out of the quote
marks, and do things like system("rm -rf /") and other things?

Also < is &amp;lt; rather then &lt; so its showing up wrong. Look at:

print "&lt;b&gt;ERROR&lt;/b&gt;: File $QS_f not found\n";

and

for ($n = 0; $n &lt; $QS_n; $n++) {


Users copying and pasting it, with out looking are going to get errors.

Also on that same page, I haven't tested it, but would this work:

#   backward compatibility ruleset for
#   rewriting document.html to document.phtml
#   when and only when document.phtml exists
#   but no longer document.html
RewriteEngine on
RewriteBase   /~quux/
#   parse out basename, but remember the fact
RewriteRule   ^(.*)\.html$              $1      [C,E=WasHTML:yes]
#   rewrite to document.phtml if exists
RewriteCond   %{REQUEST_FILENAME}.phtml -f
RewriteRule   ^(.*)$ $1.phtml                   [S=1]
#   else reverse the previous basename cutout
RewriteCond   %{ENV:WasHTML}            ^yes$
RewriteRule   ^(.*)$ $1.html


Look closely at the following line:
RewriteCond   %{REQUEST_FILENAME}.phtml -f

Isn't this going to test for the file.html.phtml rather then file.phtml ?

Thanks,
James Mitchell



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Things in the manual, which aren't what they should be?

Posted by Robert Andersson <ro...@profundis.nu>.

Leif W wrote:
> I'm not familiar enough with mod_rewrite to comment on that portion.  But
> all in all, I'd probably go submit a documentation bug report with the
> things you pointed out so they're not forgotten. I'm not sure if this is
> the correct step,

I remember looking at it a few days ago, and IIRC think the security aspect
is valid. That code piece is just an example, so I don't think it needs to
be modified, but perhaps a warning should be included to not use the code as
is. I think the right step is to file a bug under documentation/enhancement,
to get a developer's opinion on the issue.

> or exactly how to do this either.

http://nagoya.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2.0

Regards,
Robert Andersson

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Things in the manual, which aren't what they should be?

Posted by Leif W <wa...@usa.net>.

Hello,

I noticed no reply to this message so here's mine.  I skimmed through the
Perl code (I'm a decent coder, but no expert)  and your concerns seem valid.
However, any competent coder will be able to overcome the obvious syntax
errors regarding &lt; versus <, etc., and should be a lesson to those not to
just copy and run code without understanding it, as the code might be flawed
or worse, dangerous, as you pointed out with the eval escapeing.  Still it
is an annoyance to have code with security holes and typo bugs in it.

I'm not familiar enough with mod_rewrite to comment on that portion.  But
all in all, I'd probably go submit a documentation bug report with the
things you pointed out so they're not forgotten.  I'm not sure if this is
the correct step, or exactly how to do this either.  But it might be the
right thing to do.

Leif

----- Original Message ----- 
From: "James Mitchell" <re...@askmiky.com>
To: <us...@httpd.apache.org>
Sent: Friday, October 17, 2003 12:40 AM
Subject: [users@httpd] Things in the manual, which aren't what they should
be?


> Hi,
>
> I've just been reading over the rewriteguide for 2.0:
> http://httpd.apache.org/docs-2.0/misc/rewriteguide.html
>
> I am no perl guru, but the following block of code, at the bottom of the
> page:
>
> @pairs = split(/&/, $ENV{'QUERY_STRING'});
> foreach $pair (@pairs) {
>     ($name, $value) = split(/=/, $pair);
>     $name =~ tr/A-Z/a-z/;
>     $name = 'QS_' . $name;
>     $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
>     eval "\$$name = \"$value\"";
> }
>
> Wouldn't that be insecure, because users could, break out of the quote
> marks, and do things like system("rm -rf /") and other things?
>
> Also < is &amp;lt; rather then &lt; so its showing up wrong. Look at:
>
> print "&lt;b&gt;ERROR&lt;/b&gt;: File $QS_f not found\n";
>
> and
>
> for ($n = 0; $n &lt; $QS_n; $n++) {
>
>
> Users copying and pasting it, with out looking are going to get errors.
>
> Also on that same page, I haven't tested it, but would this work:
>
> #   backward compatibility ruleset for
> #   rewriting document.html to document.phtml
> #   when and only when document.phtml exists
> #   but no longer document.html
> RewriteEngine on
> RewriteBase   /~quux/
> #   parse out basename, but remember the fact
> RewriteRule   ^(.*)\.html$              $1      [C,E=WasHTML:yes]
> #   rewrite to document.phtml if exists
> RewriteCond   %{REQUEST_FILENAME}.phtml -f
> RewriteRule   ^(.*)$ $1.phtml                   [S=1]
> #   else reverse the previous basename cutout
> RewriteCond   %{ENV:WasHTML}            ^yes$
> RewriteRule   ^(.*)$ $1.html
>
>
> Look closely at the following line:
> RewriteCond   %{REQUEST_FILENAME}.phtml -f
>
> Isn't this going to test for the file.html.phtml rather then file.phtml ?
>
> Thanks,
> James Mitchell
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org