Project

General

Profile

Bug #1230

appending / to URL breaks access-deny setting

Added by Anonymous over 12 years ago. Updated over 12 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

If a / is appended to a URL, lighttpd incorrectly serves the original URL.

i.e. a request for

http://www.ahost.com/graphics/image.jpg/

will result in lighty serving the file at

http://www.ahost.com/graphics/image.jpg

This breaks access-deny settings! For instance, if I have configured lighty to deny hot-linked .jpg's like this:

$HTTPreferer !~ "^($|http://www.ahost.com)" {
url.access-deny = ( ".jpg" )
}

Then the hot-linked request for "http://www.ahost.com/graphics/image.jpg" will be denied...

But the hot-linked request for "http://www.ahost.com/graphics/image.jpg/" will be served and the access-deny setting will not be obeyed. This means that any hot-linker can get around my access-deny settings by appending the "/" to the file he wants to hot-link.

The solution is for lighty to not serve up the original file when a request for that file with an appened "/" is made.

-- jay

#1

Updated by jan over 12 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

One solution is to use static-file.exclude-extentions = ( ".jpg" ) instead or wait for r1871 to appear.

Also available in: Atom