Mod_rewrite How to circumvent Apache URL detection routines?

Last Update:2016-10-12 Source: Internet

Author: User

Tags cve

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

There are the following rules


  
   
    
     RewriteEngine On  RewriteOptions AllowAnyURI  Options +FollowSymLinks   RewriteBase /  RewriteCond %{REQUEST_FILENAME} !-d  RewriteCond %{REQUEST_FILENAME} !-f  RewriteRule ^(.*)$ /index.php/$1 [QSA,PT,L]

I need the following URL pattern:/resource:36

Log:

[Wed Oct 12 09:02:01.484346 2016] [Core:error] [PID 17112:tid 1888] (20024) The given path is misformatted or contained invalid characters: [client 127.0.0.1:60133] ah00036:access to/resource:36 F Ailed (filesystem path ' d:/server/three/public/resource:36 ') [Wed Oct 09:02:01.486347] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of Require all Granted:gran ted[wed Oct 09:02:01.486347] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:601 [] ah01626:authorization result of
  
   : granted[wed Oct 09:02:01.488348] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.  1:60133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.489347] [Authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of
   
    
     : granted[wed Oct 09:02:01.490349] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 12 7.0.0.1:60133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.490349] [Authz_core: Debug] [pid 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of 
     
      : GR anted[wed Oct 09:02:01.492351] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:6 0133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.492351] [authz_core:debug] [P
  ID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of 
      
       : granted

Without rewriting, there is no problem:/index.php/resource:36
I found the following reference

Mod_rewrite

Allowanyuri

When rewriterule are used in VirtualHost or server context with version 2.2.22 or later of httpd, Mod_rewrite would only pro Cess The rewrite rules if the request URI is a url-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see cve-2011-3368 and cve-2011-4317). To lift the restriction on matching a url-path, the Allowanyuri option can is enabled, and mod_rewrite would apply the rule Set to any request URI string, regardless of whether this string matches the Url-path grammar required by the HTTP Specif Ication.
Available in Apache HTTP Server 2.4.3 and later.

Did I get the wrong idea?
Ps:sourceforge has a URL in this format:
https://sourceforge.net/directory/natlanguage:chinesesimplified/os:windows/

Add:
Similar to the following rewrite mechanism, the individual pro-test, the Apache URL detection period returned 403, no more than the URL rewrite module

RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]

Reply content:

There are the following rules


  
   
    
     RewriteEngine On  RewriteOptions AllowAnyURI  Options +FollowSymLinks   RewriteBase /  RewriteCond %{REQUEST_FILENAME} !-d  RewriteCond %{REQUEST_FILENAME} !-f  RewriteRule ^(.*)$ /index.php/$1 [QSA,PT,L]

I need the following URL pattern:/resource:36

Log:

[Wed Oct 12 09:02:01.484346 2016] [Core:error] [PID 17112:tid 1888] (20024) The given path is misformatted or contained invalid characters: [client 127.0.0.1:60133] ah00036:access to/resource:36 F Ailed (filesystem path ' d:/server/three/public/resource:36 ') [Wed Oct 09:02:01.486347] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of Require all Granted:gran ted[wed Oct 09:02:01.486347] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:601 [] ah01626:authorization result of
  
   : granted[wed Oct 09:02:01.488348] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.  1:60133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.489347] [Authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of
   
    
     : granted[wed Oct 09:02:01.490349] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 12 7.0.0.1:60133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.490349] [Authz_core: Debug] [pid 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of 
     
      : GR anted[wed Oct 09:02:01.492351] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:6 0133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.492351] [authz_core:debug] [P
  ID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of 
      
       : granted

Without rewriting, there is no problem:/index.php/resource:36
I found the following reference

Mod_rewrite

Allowanyuri

When rewriterule are used in VirtualHost or server context with version 2.2.22 or later of httpd, Mod_rewrite would only pro Cess The rewrite rules if the request URI is a url-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see cve-2011-3368 and cve-2011-4317). To lift the restriction on matching a url-path, the Allowanyuri option can is enabled, and mod_rewrite would apply the rule Set to any request URI string, regardless of whether this string matches the Url-path grammar required by the HTTP Specif Ication.
Available in Apache HTTP Server 2.4.3 and later.

Did I get the wrong idea?
Ps:sourceforge has a URL in this format:
https://sourceforge.net/directory/natlanguage:chinesesimplified/os:windows/

Add:
Similar to the following rewrite mechanism, the individual pro-test, the Apache URL detection period returned 403, no more than the URL rewrite module

RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]

The idea is that you write regular expression rules from URL fetch string, forward to index.php, as a parameter, and then you write logic to parse the string

So your rewrite rules should change to something like

RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]

Then try to parse in STR and then internally route to a specific class, method execution, and then response



This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More