diff options
author | Stefan Bühler <stbuehler@web.de> | 2008-12-07 15:22:42 +0000 |
---|---|---|
committer | Stefan Bühler <stbuehler@web.de> | 2008-12-07 15:22:42 +0000 |
commit | 36f74e5d23e4d64a123c9ebf0822dd940c896e27 (patch) | |
tree | 59ae0a54421cfc4d6c576cafdc875ada1ef971ee /doc | |
parent | a64e7cd46b6b7b0e96745c68d0c3618e2402bbfa (diff) | |
download | lighttpd-git-36f74e5d23e4d64a123c9ebf0822dd940c896e27.tar.gz |
Revert url decoding+simplifying before matching of mod_rewrite/mod_redirect
- Lot of regressions (we forgot to reencode the result)
- Generic problem: after decode and rewrite "a?b?c": which '?' was the path?query seperator?
- Possible solution: only decode printable characters (without '?'), and encode the result; do not encode the '%' of a not decoded character.
- Still a problem with path simplifying, it seems many people use urls like this: http://server1/http%3a//server2/xxx
and rewrite the path into the querystring.
- Probably only usable with an extra config option
=> Do NOT use rewrite/redirect to protect specific urls.
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2362 152afb58-edef-0310-8abb-c4023f1b3aa9
Diffstat (limited to 'doc')
-rw-r--r-- | doc/redirect.txt | 6 | ||||
-rw-r--r-- | doc/rewrite.txt | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/doc/redirect.txt b/doc/redirect.txt index cf7cd752..ec547317 100644 --- a/doc/redirect.txt +++ b/doc/redirect.txt @@ -39,3 +39,9 @@ url.redirect $HTTP["host"] =~ "^www\.(.*)" { url.redirect = ( "^/(.*)" => "http://%1/$1" ) } + +Warning +======= + +Do NOT use mod_redirect to protect specific urls, as the original url passed from the client +is matched against your rules, for example strings like "/abc/../xyz%2f/path". diff --git a/doc/rewrite.txt b/doc/rewrite.txt index e4670223..a1390695 100644 --- a/doc/rewrite.txt +++ b/doc/rewrite.txt @@ -43,6 +43,12 @@ url.rewrite-repeat The options ``url.rewrite`` and ``url.rewrite-final`` were mapped to ``url.rewrite-once`` in 1.3.16. +Warning +======= + +Do NOT use mod_rewrite to protect specific urls, as the original url passed from the client +is matched against your rules, for example strings like "/abc/../xyz%2f/path". + Examples ======== |