On Thu, Feb 5, 2009 at 3:41 AM, André Warnier <a...@ice-sa.com> wrote:
> Matt McCutchen wrote:
>> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
>>
> (Not trying to be sarcastic here, it's a genuine question)
>
> What happens if Evil Hacker me, logs in as user1 and then request in my
> browser http://foo.com/../user2/index.html ?
> Taken literally, the RewriteRule above should rewrite this as
> /var/www/accesstest/user1/../user2/index.html
> no ?
> Is some other inner security measure stripping that .. somewhere ?In per-vhost rewrite, you've replaced the bit of code that would kick that request out with a 400 by using rewrite. However, the ..'s have still been flattened before the rewrite starts. You would see a relative path such as "index.html" as the URI in your rule. If you had only per-directory rules, the core code that maps URIs to the filesystem would return 400 before you got to them -- Eric Covener cove...@gmail.com --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
