[22226] in bugtraq
Are your mod_rewrite rules doing what you expect?
daemon@ATHENA.MIT.EDU (Jeff Workman)
Mon Aug 13 10:57:43 2001
Date: Sun, 12 Aug 2001 21:46:26 -0400
From: Jeff Workman <jworkman@pimpworks.org>
To: bugtraq@securityfocus.com
Message-ID: <1220373852.997652786@SNOC-1>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
My apologies if this has been discussed in the past.
A lot of sites do not wish for their images, or other content, to be linked
to from outside of thier site. If they use Apache and the mod_rewrite
module, they usually have a directive, or several directives, in their
httpd.conf like:
RewriteCond %{HTTP_REFERER} !^http://www\.yoursite\.com.*$
RewriteRule ^/images/.* - [G]
I have found that it is possible to circumvent the above rule by
constructing your link like:
http://www.yoursite.com//images/image.jpg
The web browser will then make an HTTP request like "GET
//images/image.jpg" HTTP/1.0", which does not match this rewrite rule, but
is still valid.
This does not appear to be a bug with mod_rewrite or even Apache proper,
but it looks like it's inherited from either the filesystem driver, or
perhaps your operating system's libc, which, at least on UNIX systems that
I am familiar with, handles multiple occurences of "/" in a pathname as
though it were a single "/".
This can be fixed by modifying your ReWriteRule directives to reflect this
behavior:
RewriteCond %{HTTP_REFERER} !^http://www\.yoursite\.com$
RewriteRule ^/*images/.* - [G]
Which will match multiple occurences of "/" in the path of the HTTP request.
Jeff
www.pimpworks.org
--
"...and the burnt fool's bandaged finger goes wobbling back to the
fire." -Joe Zeff in the SDM.
