1

I've got a rewrite rule set up like this:

RewriteCond %{DOCUMENT_ROOT}/cache/%{REQUEST_URI} -f RewriteRule ^(.*)$ cache/$1 [QSA,PT,L]

Brief explanation for this rule: it checks to see if a requested file exists in the cache directory. If it does, then it serves the cache directory.

E.g. a request to http://somehost.tld/about.html would be served from http://somehost.tld/cache/about.html (if this file exists).

What I'm concerned about is if the RewriteRule is insecure. Is it possible for someone to request a URL like this, with double periods in it to move up a directory:

http://somehost.tld/../../private_file.txt

So causing private_file.txt to be served from a directory above my apache public folder?

Improve this question
2
  • BTW I did try this out but my results were inconclusive on my server, I think its safe, but I'm not certain... Commented Feb 17, 2010 at 12:07
  • My guess is that Apache would deny access to the file private_file.txt. However a determined attacker could possibly test for the presence of private_file.txt on your system by the response given. Commented Feb 17, 2010 at 12:08

2 Answers 2

Reset to default
2

Including .. in a URL doesn't work at either the HTTP request level or the browser level. Browsers just resolve the relative paths, sending a request for the appropriate file (capping it at the server root). So typing this into an address bar:

http://somehost.tld/../../private_file.txt

Would result in a HTTP request for:

http://somehost.tld/private_file.txt

In other words, someone would have to manually craft a HTTP request for the ../.. to reach Apache. And that comes back with HTTP 400 Bad Request. Example from my local server (which has no rewrite rules):

ritsuko:~ spyder$ curl -v http://localhost/../randomfile * About to connect() to localhost port 80 (#0) * Trying ::1... connected * Connected to localhost (::1) port 80 (#0) > GET /../randomfile HTTP/1.1 > User-Agent: curl/7.19.4 (universal-apple-darwin10.0) libcurl/7.19.4 OpenSSL/0.9.8l zlib/1.2.3 > Host: localhost > Accept: */* > < HTTP/1.1 400 Bad Request < Date: Wed, 17 Feb 2010 13:18:40 GMT < Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8l DAV/2 < Content-Length: 226 < Connection: close < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> </body></html> * Closing connection #0
Improve this answer
0

apache doesn't allow 'move up a directory'.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.