Matt McCutchen wrote:(Not trying to be sarcastic here, it's a genuine question)
On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote:
I managed to do something similar in the end, using the prefix user_
for each user directory then adding .htaccess to root dir of:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/www/passwd/htpasswd
Require valid-user
RewriteEngine on
RewriteCond $1 !^user_
RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$
RewriteRule (.*) /var/www/accesstest/user_%1/$1 [
The only problem with this is that any user could access other users
directories... so I then had to add an additional .htaccess of
require user spidie
to the user_spidie directory... etc etc.
If you put the rewrite rules in the main server configuration rather
than an htaccess file, you don't have to worry about them being run
multiple times, so you can drop the user_ prefix and condition. You
don't need to condition on %{REMOTE_USER} either because rewrite rules
don't run until after the user gains authorization. The rule I gave
earlier (updated for your directory name) should just work:
RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
What happens if Evil Hacker me, logs in as user1 and then request in my browser http://foo.com/../user2/index.html ?
Taken literally, the RewriteRule above should rewrite this as
/var/www/accesstest/user1/../user2/index.html
no ?
Is some other inner security measure stripping that .. somewhere ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|