Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by noodl: http://wiki.apache.org/httpd/Rewrite/Security The comment on the change is: First hash at rewrite security doc New page: = Substitution paths = The second argument of the !RewriteRule directive specifies the substituted URI reference or file path. A very common misconception is that the substituted string is always taken to mean a URI reference relative to the prevailing !DocumentRoot. For example, one might try the following rule to append a query parameter to an incoming request. {{{ # DO NOT DO THIS! RewriteEngine On RewriteRule (.*) $1?foo=bar [QSA] }}} However, a request such as http://example.com/etc/passwd would in some cases (see below) serve the system password table. The rule is that the substitution string is first tried as an absolute filesystem path, and if that doesn't work, as relative to the !DocumentRoot. One solution is to prepend the document root in cases where the resulting path could be ambiguous. Such as: {{{ RewriteEngine On RewriteRule (.*) %{DOCUMENT_ROOT}/$1?foo=bar [QSA] }}} = Mitigating Information Disclosure = The best way to avoid situations like this is to only allow access to file paths relevant to the context at hand. For example: {{{ <Directory /> Deny from all </Directory> <VirtualHost *:80> ServerName www1.example.com DocumentRoot /var/www/www1.example.com <Directory /var/www/www1.example.com> Allow from all </Directory> </VirtualHost> <VirtualHost *:80> ServerName www2.example.com DocumentRoot /var/www/www2.example.com <Directory /var/www/www2.example.com> Allow from all </Directory> </VirtualHost> }}} In this way, vhosts are restricted to their relevant areas in cases of overly promiscuous rewrite rules.
