On Thu, Feb 5, 2009 at 3:41 AM, André Warnier <aw@xxxxxxxxxx> wrote:
> Matt McCutchen wrote:
>> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
>>
> (Not trying to be sarcastic here, it's a genuine question)
>
> What happens if Evil Hacker me, logs in as user1 and then request in my
> browser http://foo.com/../user2/index.html ?
> Taken literally, the RewriteRule above should rewrite this as
> /var/www/accesstest/user1/../user2/index.html
> no ?
> Is some other inner security measure stripping that .. somewhere ?
In per-vhost rewrite, you've replaced the bit of code that would kick
that request out with a 400 by using rewrite. However, the ..'s have
still been flattened before the rewrite starts. You would see a
relative path such as "index.html" as the URI in your rule.
If you had only per-directory rules, the core code that maps URIs to
the filesystem would return 400 before you got to them
--
Eric Covener
covener@xxxxxxxxx
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|