Matt McCutchen wrote:
On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote:I managed to do something similar in the end, using the prefix user_ for each user directory then adding .htaccess to root dir of: AuthType Basic AuthName "Restricted Files" AuthUserFile /var/www/passwd/htpasswd Require valid-user RewriteEngine on RewriteCond $1 !^user_ RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$ RewriteRule (.*) /var/www/accesstest/user_%1/$1 [ The only problem with this is that any user could access other usersdirectories... so I then had to add an additional .htaccess ofrequire user spidie to the user_spidie directory... etc etc.If you put the rewrite rules in the main server configuration rather than an htaccess file, you don't have to worry about them being run multiple times, so you can drop the user_ prefix and condition. You don't need to condition on %{REMOTE_USER} either because rewrite rules don't run until after the user gains authorization. The rule I gave earlier (updated for your directory name) should just work: RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
(Not trying to be sarcastic here, it's a genuine question)What happens if Evil Hacker me, logs in as user1 and then request in my browser http://foo.com/../user2/index.html ?
Taken literally, the RewriteRule above should rewrite this as /var/www/accesstest/user1/../user2/index.html no ? Is some other inner security measure stripping that .. somewhere ? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|