Hello list, I am developing a module which should be able to allow or deny access to URLs based on a database.
I have now found out that with 'AcceptPathInfo on' there are URLs that the user can access by simply adding a trailing '/' or a trailing '/whatever'. So the user specifies he wants '/index.php/whatever' and this is not diallowed in the database, but then he will get /index.php with '/whatever' added to the PHP script as a path-info field. This bypasses the security of course. Is there a way of knowing whether this is in affect or (preferred) is there a way to find out the real URL that the PHP interpreter will be using at last. My module runs in the auth_checker phase and in the fixup phase. I have not found a way yet to determine the really delivered URL instead of the user given one. Thank you for your time, Greetings -- Christoph Gröver, gro...@sitepark.com
