Mod_rewrite How to circumvent Apache URL detection routines?

Source: Internet
Author: User
Tags cve
There are the following rules


  
   
    
     RewriteEngine On  RewriteOptions AllowAnyURI  Options +FollowSymLinks   RewriteBase /  RewriteCond %{REQUEST_FILENAME} !-d  RewriteCond %{REQUEST_FILENAME} !-f  RewriteRule ^(.*)$ /index.php/$1 [QSA,PT,L]
  
   

I need the following URL pattern:/resource:36

Log:

[Wed Oct 12 09:02:01.484346 2016] [Core:error] [PID 17112:tid 1888] (20024) The given path is misformatted or contained invalid characters: [client 127.0.0.1:60133] ah00036:access to/resource:36 F Ailed (filesystem path ' d:/server/three/public/resource:36 ') [Wed Oct 09:02:01.486347] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of Require all Granted:gran ted[wed Oct 09:02:01.486347] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:601 [] ah01626:authorization result of
  
   : granted[wed Oct 09:02:01.488348] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.  1:60133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.489347] [Authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of
   
    
     : granted[wed Oct 09:02:01.490349] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 12 7.0.0.1:60133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.490349] [Authz_core: Debug] [pid 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of 
     
      : GR anted[wed Oct 09:02:01.492351] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:6 0133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.492351] [authz_core:debug] [P
  ID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of 
      
       : granted 
      
 
     

    
   
  

Without rewriting, there is no problem:/index.php/resource:36
I found the following reference

Mod_rewrite

Allowanyuri

When rewriterule are used in VirtualHost or server context with version 2.2.22 or later of httpd, Mod_rewrite would only pro Cess The rewrite rules if the request URI is a url-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see cve-2011-3368 and cve-2011-4317). To lift the restriction on matching a url-path, the Allowanyuri option can is enabled, and mod_rewrite would apply the rule Set to any request URI string, regardless of whether this string matches the Url-path grammar required by the HTTP Specif Ication.
Available in Apache HTTP Server 2.4.3 and later.

Did I get the wrong idea?
Ps:sourceforge has a URL in this format:
https://sourceforge.net/directory/natlanguage:chinesesimplified/os:windows/

Add:
Similar to the following rewrite mechanism, the individual pro-test, the Apache URL detection period returned 403, no more than the URL rewrite module

RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]

Reply content:

There are the following rules


  
   
    
     RewriteEngine On  RewriteOptions AllowAnyURI  Options +FollowSymLinks   RewriteBase /  RewriteCond %{REQUEST_FILENAME} !-d  RewriteCond %{REQUEST_FILENAME} !-f  RewriteRule ^(.*)$ /index.php/$1 [QSA,PT,L]
  
   

I need the following URL pattern:/resource:36

Log:

[Wed Oct 12 09:02:01.484346 2016] [Core:error] [PID 17112:tid 1888] (20024) The given path is misformatted or contained invalid characters: [client 127.0.0.1:60133] ah00036:access to/resource:36 F Ailed (filesystem path ' d:/server/three/public/resource:36 ') [Wed Oct 09:02:01.486347] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of Require all Granted:gran ted[wed Oct 09:02:01.486347] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:601 [] ah01626:authorization result of
  
   : granted[wed Oct 09:02:01.488348] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.  1:60133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.489347] [Authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of
   
    
     : granted[wed Oct 09:02:01.490349] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 12 7.0.0.1:60133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.490349] [Authz_core: Debug] [pid 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of 
     
      : GR anted[wed Oct 09:02:01.492351] [authz_core:debug] [PID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:6 0133] ah01626:authorization result of Require all granted:granted[wed Oct 09:02:01.492351] [authz_core:debug] [P
  ID 17112:tid 1888] mod_authz_core.c (806): [Client 127.0.0.1:60133] ah01626:authorization result of 
      
       : granted 
      
 
     

    
   
  

Without rewriting, there is no problem:/index.php/resource:36
I found the following reference

Mod_rewrite

Allowanyuri

When rewriterule are used in VirtualHost or server context with version 2.2.22 or later of httpd, Mod_rewrite would only pro Cess The rewrite rules if the request URI is a url-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see cve-2011-3368 and cve-2011-4317). To lift the restriction on matching a url-path, the Allowanyuri option can is enabled, and mod_rewrite would apply the rule Set to any request URI string, regardless of whether this string matches the Url-path grammar required by the HTTP Specif Ication.
Available in Apache HTTP Server 2.4.3 and later.

Did I get the wrong idea?
Ps:sourceforge has a URL in this format:
https://sourceforge.net/directory/natlanguage:chinesesimplified/os:windows/

Add:
Similar to the following rewrite mechanism, the individual pro-test, the Apache URL detection period returned 403, no more than the URL rewrite module

RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]

The idea is that you write regular expression rules from URL fetch string, forward to index.php, as a parameter, and then you write logic to parse the string

So your rewrite rules should change to something like

RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]

Then try to parse in STR and then internally route to a specific class, method execution, and then response

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.