SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Addict Beaumont's Avatar
    Join Date
    Mar 2005
    Posts
    219
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    RewriteCond -U (is existing URL via subrequest)

    Does anyone have experience with the -U CondPattern for RewriteCond?

    This example from the Apache URL Rewriting Guide is supposed to redirect failing requests on webserver A to webserver B:

    Code:
    RewriteEngine on
    RewriteCond   %{REQUEST_URI} !-U
    RewriteRule   ^(.+)          http://webserverB.dom/$1
    This feature is not working at all for me and I'm trying to figure out why.

    Unfortunately, the documenation doesn't really explain exactly how it works. I assumed that if the specified URL returned a 4xx or 5xx response, the condition would evalutate to false, true otherwise, but now I'm not sure that's what it's supposed to do at all. It's certainly not working that way for me.

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,604
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Beaumont,

    No, no experience with that either but you're using it correctly (if the Apache.org example is right) so I'd just have to parrot their admonition to just use an error redirect.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Addict Beaumont's Avatar
    Join Date
    Mar 2005
    Posts
    219
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks DK. The thing is, I wanted to use it for a completely different purpose. I'm setting up a site that requires restricted access to files of various types (e.g. PDF, TIF, Word, etc.). I already have a method of doing it by sending the files to the browser through PHP, but I don't want to incur the overhead of doing that.

    When I learned of this -U option, I thought that I could do the following

    Code:
    RewriteEngine on
    RewriteCond   script.php !-U
    RewriteRule   ^(.+)          http://www.example.com/denied.html [RL]
    Where script.php would check whether the user was authorized to view the file and return a response code indicating success or failure. However, -U doesn't seem to work that way, or perhaps it doesn't work at all.

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,604
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Beaumont,

    With this description, no, it SHOULD NOT work! Apache's merely checking to see whether script.php exists, not whether it's processed something to return a code! That's the job of PHP. I would think it would be far simpler to use SESSIONS to require that a valid authorization exists before offering a link to your protected files.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  5. #5
    SitePoint Addict Beaumont's Avatar
    Join Date
    Mar 2005
    Posts
    219
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, this is what the documentation says:

    Checks if TestString is a valid URL and accessible via all the server's currently-configured access controls for that path. This uses an internal subrequest to determine the check, so use it with care because it decreases your server's performance!
    It seems to me that Apache would have to use the response code returned by that internal subrequest to determine whether it's a valid and accesible URL. If not that, then how does it work?

    PHP sessions alone are not enough to restrict access to the files unless they're output by PHP. If only the link is protected, then nothing would prevent the user from accessing that link directly in the future and guessing the links to other files.

  6. #6
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,604
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Beaumont,

    Sorry I interpret their URL check as whether script.php exists on the website (i.e., like a -f check against a requested file name but specified to be within the webspace).

    Since I've used code like the following before (after checking both my test server and online server to be sure that they complied), I'd recommend the following in the .htaccess:
    Code:
    RewriteCond %{HTTP_REFERER} !^$ 
    RewriteCond %{HTTP_REFERER} !^http://www.quux-corp.de/~quux/.*$ [NC]
    RewriteRule .*\.(doc|pdf|etc)$        -                                    [F]
    I'd delete the forst condition IF your Apache gives the HTTP_REFERER for your page otherwise direct links would be accepted.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  7. #7
    SitePoint Addict Beaumont's Avatar
    Join Date
    Mar 2005
    Posts
    219
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't know, DK, their description isn't very good. If what you describe is along the right lines, I think that would describe the -F (different than -f) check, not -U.

    Thanks for the suggestion, but HTTP_REFERER is too unreliable (e.g. stripped out by popular firewalls) and easily faked to be useful. I'm not sure there's a point of using it at all if you're simply going to allow it to be empty.

  8. #8
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,604
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Beaumont,

    My suggestion had been to confirm that HTTP_REFERER was available from your server then require that your protected directory require that HTTP_REFERER be properly set to allow access.

    My f was to check on the existance of the file, not Fail. It's all in the semantics .

    Anyway, I think that you were trying to do something with the U that wasn't intended so I was suggesting an alternative means of achieving your stated goal.

    Good Luck!

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •