Bugtraq mailing list archives
Are your mod_rewrite rules doing what you expect?
From: Jeff Workman <jworkman () pimpworks org>
Date: Sun, 12 Aug 2001 21:46:26 -0400
My apologies if this has been discussed in the past.A lot of sites do not wish for their images, or other content, to be linked to from outside of thier site. If they use Apache and the mod_rewrite module, they usually have a directive, or several directives, in their httpd.conf like:
RewriteCond %{HTTP_REFERER} !^http://www\.yoursite\.com.*$ RewriteRule ^/images/.* - [G]I have found that it is possible to circumvent the above rule by constructing your link like:
http://www.yoursite.com//images/image.jpgThe web browser will then make an HTTP request like "GET //images/image.jpg" HTTP/1.0", which does not match this rewrite rule, but is still valid.
This does not appear to be a bug with mod_rewrite or even Apache proper, but it looks like it's inherited from either the filesystem driver, or perhaps your operating system's libc, which, at least on UNIX systems that I am familiar with, handles multiple occurences of "/" in a pathname as though it were a single "/".
This can be fixed by modifying your ReWriteRule directives to reflect this behavior:
RewriteCond %{HTTP_REFERER} !^http://www\.yoursite\.com$ RewriteRule ^/*images/.* - [G] Which will match multiple occurences of "/" in the path of the HTTP request. Jeff www.pimpworks.org -- "...and the burnt fool's bandaged finger goes wobbling back to the fire." -Joe Zeff in the SDM.
Current thread:
- Are your mod_rewrite rules doing what you expect? Jeff Workman (Aug 13)
- <Possible follow-ups>
- RE: Are your mod_rewrite rules doing what you expect? Riddoch, John ESITI-ISEP-3 (Aug 13)