On Fri, April 15, 2011 11:34, "Plüm, Rüdiger, VF-Group" wrote: >> RewriteRule ^/some/old/path/(.*)$ /$1 >> >> in his httpd config, in order to redirect some paths that are now >> available directly under the document root. This has the problem that >> mod_rewrite guesses if the substituted path is an URL or an >> absoulte local >> path by looking at the first component of the substitution >> result. With >> the above rule, this first component is controlled by the client which >> causes security issues. For example, >> >> http://servername/some/old/path/etc/passwd >> >> does actually result in /etc/passwd being delivered to the client. > > I doubt that this would work with the recommended > > <Directory /> > deny from all > </Directory> > > setting.
True, but this is often a PITA to use with complex auth configs. This will improve with the new authz merging in 2.4, but I still think mod_rewrite should behave more predictable. After all, some RewriteRule that works perfectly well can stop working just because of a new directory being created in /. Even if access to the new directory is forbidden, this is still disruptive. >> My first idea for saner semantics would be: >> >> - Don't try to guess what the user meant. Instead, treat the >> substitution >> as URI unless some new option ([LOCALPATH]?) is given for the rule. In >> this case, look for file system paths only. >> - Add a new option for RewriteOptions to restore the old >> guessing behaviour. >> >> What do you think? > > IMHO that would be a dramatic change in behaviour. mod_rewrite was always > a map to storage (or uri to file) provider and mapping to different URL's > was only an additional > feature. > OTOH I admit that I mostly use mod_rewrite this way. My impression is that mapping to different URLs is by far the more frequent use case, but I may be wrong. A different idea would be - Create new directives RewriteToPath, RewriteToURL that don't do guessing. - Document clearly the problems that may be caused by the guessing behaviour of RewriteRule. Maybe even mark RewriteRule as deprecated in 2.4. Cheers, Stefan
