Bug #1230
appending / to URL breaks access-deny setting
| Status: | Fixed | Start: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | core | |||
| Target version: | 1.5.0 | |||
| Missing in 1.5.x: |
Description
If a / is appended to a URL, lighttpd incorrectly serves the original URL.
i.e. a request for
http://www.ahost.com/graphics/image.jpg/
will result in lighty serving the file at
http://www.ahost.com/graphics/image.jpg
This breaks access-deny settings! For instance, if I have configured lighty to deny hot-linked .jpg's like this:
$HTTPreferer !~ "^($|http://www.ahost.com)" {
url.access-deny = ( ".jpg" )
}
Then the hot-linked request for "http://www.ahost.com/graphics/image.jpg" will be denied...
But the hot-linked request for "http://www.ahost.com/graphics/image.jpg/" will be served and the access-deny setting will not be obeyed. This means that any hot-linker can get around my access-deny settings by appending the "/" to the file he wants to hot-link.
The solution is for lighty to not serve up the original file when a request for that file with an appened "/" is made.
-- jay
Associated revisions
fixed remote crash on duplicate header keys with line-wrapping (fixes #1230)
check the URL twice, before and after path-info handling. (fixes #1230)
History
Updated by jan about 3 years ago
- Status changed from New to Fixed
- Resolution set to fixed
One solution is to use static-file.exclude-extentions = ( ".jpg" ) instead or wait for r1871 to appear.
Also available in: Atom