mdn teo wrote:
Hi, I have a question about mod_rewrite.
I want to deny access if the variables included in the GET or the POST are
matching a defined string
this is what I use:
--------
RewriteCond %{REQUEST_METHOD} ^(GET|POST)$ [NC]
RewriteCond %{QUERY_STRING} (myvariable=xxx123) [NC]
RewriteRule .*? - [F]
--------
This is working, but only for GET:
-------- GET
/site/file.php?var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123
--------
the query_string is matched and everything is working fine as mod_rewrite is
condisering:
QUERY_STRING=var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123
This is not working for the POST, as checking the HTTP-Headres, I see that
the made POST is something like this:
-------- POST /site/file.php? HTTP/1.1
Host: myhost.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.0.1)
Gecko/2008070208 Firefox/3.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: <deleted by me in this email>
Cookie: <deleted by me in this email>
Content-Type: application/x-www-form-urlencoded
Content-Length: 156
var1=Login&username=user1&in_pw_userpass=userpassword&myvariable=xxx123
--------
so, QUERY_STRING="", and I can't check the content of the POST.
Is there a way with mod_rewrite to verify and match the content of the POST?
If nobody else provides a positive answer to your liking :
Using mod_perl (and maybe also with something else), you could have a
small module that converts POSTs to GETs. It basically would read the
POST parameters, append them to the incoming URL, and change the
internal request method from POST to GET. If it does this early enough
in the cycle, your mod_rewrite logic would then see a GET.
Here is an example, taken originally from the CPAN module
Apache2::AuthCookie :
sub _convert_to_get {
my ($self, $r, $args) = @_;
return unless $r->method eq 'POST';
# CGI->Vars() returns the parameter list as a tied hash ref.
# In this hash, multi-valued parameters are represented by strings,
# in which multiple values are separated by a binary null byte.
# The following splits them.
my @pairs =();
while (my ($name, $value) = each %$args) {
# we dont want to copy login data, only extra data
next if ($name =~ m/^log_(target|id|pass)$/);
$value = '' unless defined $value;
for my $v (split /\0/, $value) {
push @pairs, escape_uri($r, $name) . '=' . escape_uri($r, $v);
}
}
$r->args(join '&', @pairs) if scalar(@pairs) > 0;
$r->method('GET');
$r->method_number(M_GET);
$r->headers_in->unset('Content-Length');
}
André
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
