On Thu, Feb 5, 2009 at 3:41 AM, André Warnier <aw@xxxxxxxxxx> wrote: > Matt McCutchen wrote: >> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1 >> > (Not trying to be sarcastic here, it's a genuine question) > > What happens if Evil Hacker me, logs in as user1 and then request in my > browser http://foo.com/../user2/index.html ? > Taken literally, the RewriteRule above should rewrite this as > /var/www/accesstest/user1/../user2/index.html > no ? > Is some other inner security measure stripping that .. somewhere ? In per-vhost rewrite, you've replaced the bit of code that would kick that request out with a 400 by using rewrite. However, the ..'s have still been flattened before the rewrite starts. You would see a relative path such as "index.html" as the URI in your rule. If you had only per-directory rules, the core code that maps URIs to the filesystem would return 400 before you got to them -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx