Forum

rewrite deny not denying

Waitman Gobble
16 April 2018, 07:08
Hiawatha v10.7

I wrote my toolkit based on the example.

https://www.hiawatha-webserver.org/howto/url_toolkit
UrlToolkit {
ToolkitID = hubzilla
Match ^/store DenyAccess
RequestURI exists Return
Match /(.*)\?(.*) Rewrite /index.php?q=$1&$2
Match /(.*) Rewrite /index.php?q=$1
}

Here's the issue:

reguest /store/a/b/c returns 403 forbidden (expected)
request //store/a/b/c returns 200 and the file (should be denied)
request ///store/a/b/c returns 200 and the file (should be denied)

Basically adding extra / in front of the URI it returns the file, which should be denied.

here's a live example. (url is long)
http://rink.to/dC0
Waitman Gobble
16 April 2018, 09:20
Not sure exactly what should be correct,

on both Debian GNU/Linux and FreeBSD:

# ls -l store//////web/////test.php
-rw-r--r-- 1 root root 56 Apr 15 23:50 store//////web/////test.php

So apparently the file system call to check if the file exists will return true. It's possible that the web server is operating properly.

The downside is that the ^/store won't match ^//store etc.

The fix I have come up with is to add a check for double slashes in the rewrite toolkit.

Match (//) DenyAccess

so it becomes:
UrlToolkit {
ToolkitID = hubzilla
Match (//) DenyAccess
Match ^/store DenyAccess
RequestURI exists Return
Match /(.*)\?(.*) Rewrite /index.php?q=$1&$2
Match /(.*) Rewrite /index.php?q=$1
}

IMHO at minimum this should be mentioned on the rewrite examples page, I do not think it's clear to expect this behavior?

Thanks.
Hugo Leisink
19 April 2018, 09:04
How about this:
UrlToolkit {
ToolkitID = hubzilla
Match ^(/+)store DenyAccess
RequestURI exists Return
Match /(.*)\?(.*) Rewrite /index.php?q=$1&$2
Match /(.*) Rewrite /index.php?q=$1
}
Waitman
19 April 2018, 15:47
yes, that works. and it's better. some links have stuff like /path/to?u=https://example.com so it trips the double slash deny (//)

thank you.
Allowed BBcodes:
[quote]
[code]
[config]
[url]
[color]
[size]
[img]
[b]
[i]
[u]
[s]
[list]
[ul]
[ol]
[*]