Project

General

Profile

Bug #1230

appending / to URL breaks access-deny setting

Added by Anonymous about 12 years ago. Updated about 12 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

If a / is appended to a URL, lighttpd incorrectly serves the original URL.

i.e. a request for

http://www.ahost.com/graphics/image.jpg/

will result in lighty serving the file at

http://www.ahost.com/graphics/image.jpg

This breaks access-deny settings! For instance, if I have configured lighty to deny hot-linked .jpg's like this:

$HTTPreferer !~ "^($|http://www.ahost.com)" {
url.access-deny = ( ".jpg" )
}

Then the hot-linked request for "http://www.ahost.com/graphics/image.jpg" will be denied...

But the hot-linked request for "http://www.ahost.com/graphics/image.jpg/" will be served and the access-deny setting will not be obeyed. This means that any hot-linker can get around my access-deny settings by appending the "/" to the file he wants to hot-link.

The solution is for lighty to not serve up the original file when a request for that file with an appened "/" is made.

-- jay

Associated revisions

Revision 1869 (diff)
Added by jan about 12 years ago

fixed remote crash on duplicate header keys with line-wrapping (fixes #1230)

Revision 9e4e4f7e (diff)
Added by jan about 12 years ago

fixed remote crash on duplicate header keys with line-wrapping (fixes #1230)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@1869 152afb58-edef-0310-8abb-c4023f1b3aa9

Revision 1871 (diff)
Added by jan about 12 years ago

check the URL twice, before and after path-info handling. (fixes #1230)

Revision 022760f0 (diff)
Added by jan about 12 years ago

check the URL twice, before and after path-info handling. (fixes #1230)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@1871 152afb58-edef-0310-8abb-c4023f1b3aa9

History

#1

Updated by jan about 12 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

One solution is to use static-file.exclude-extentions = ( ".jpg" ) instead or wait for r1871 to appear.

Also available in: Atom