Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by VinkoVrsalovic: http://wiki.apache.org/httpd/Rewrite/Security The comment on the change is: hopefully is clearer now ------------------------------------------------------------------------------ = Substitution paths = - The second argument of the !RewriteRule directive specifies the substituted URI reference or file path. A very common misconception is that the substituted string is always taken to mean a URI reference relative to the prevailing !DocumentRoot. + The second argument of the !RewriteRule directive specifies the substituted URI reference or file path. A very common misconception is that the substituted string is always taken to mean a URI reference relative to the !DocumentRoot. For example, one might try the following rule to append a query parameter to an incoming request. @@ -12, +12 @@ RewriteRule (.*) $1?foo=bar [QSA] }}} - However, a request such as http://example.com/etc/passwd would in some cases (see below) serve the system password table. The rule is that the substitution string is first tried as an absolute filesystem path, and if that doesn't work, as relative to the !DocumentRoot. + But given that the substitution string is first tried as an absolute filesystem path, and if that doesn't work, as relative to the !DocumentRoot, a request such as http://example.com/etc/passwd would serve the system password table. One solution is to prepend the document root in cases where the resulting path could be ambiguous. Such as: @@ -28, +28 @@ <Directory /> Deny from all </Directory> + + NameVirtualHost *:80 <VirtualHost *:80> ServerName www1.example.com
