Hi, a client used
RewriteRule ^/some/old/path/(.*)$ /$1 in his httpd config, in order to redirect some paths that are now available directly under the document root. This has the problem that mod_rewrite guesses if the substituted path is an URL or an absoulte local path by looking at the first component of the substitution result. With the above rule, this first component is controlled by the client which causes security issues. For example, http://servername/some/old/path/etc/passwd does actually result in /etc/passwd being delivered to the client. While this works as documented and secure behaviour can be obtained by appending [PT] or [R], I think this behaviour makes it far too easy to shoot onself in the foot. My first idea for saner semantics would be: - Don't try to guess what the user meant. Instead, treat the substitution as URI unless some new option ([LOCALPATH]?) is given for the rule. In this case, look for file system paths only. - Add a new option for RewriteOptions to restore the old guessing behaviour. What do you think? Cheers, Stefan
