Project

General

Profile

Actions
Copy link

Bug #1720

closed

Rewrite/redirect rules and URL encoding

Added by Anonymous over 16 years ago. Updated over 6 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_rewrite
Target version:
1.4.x
ASK QUESTIONS IN Forums:

Description

Dear lighty community,

I am using lighty to serve a wiki; to have nice urls, i use the following in my lighttpd.conf:

url.rewrite-once = ( "^/wiki/(.*)$" => "/wiki/awki.cgi/$1" )

and so i was hoping that everything going through /wiki/ would be interpreted by the script 'awki.cgi'. However, if I url-encode a part of the url, the above rewrite rule does not apply: if I ask my browser to access /wik%69/, lighty does not execute the script and gives me a
listing of files in that directory!

Is there a way to avoid that?
I asked in the forum last week but, as I had no answer, I decided to open a ticket; I apologize if this is unapropriate.

-- gaetan.bisson

Related issues 6 (0 open6 closed)

Related to Bug #1832: lighty doesn't quote spaces in urls in proxy moduleFixed2008-11-26Actions
Related to Bug #1827: 400 Response on any URL that countains a space character (ASCII 20)Fixeddarix2008-11-20Actions
Related to Bug #1819: mod_rewrite not working anymore after patchingFixed2008-11-11Actions
Related to Bug #1802: url-encode/decodeFixedstbuehler2008-10-20Actions
Related to Bug #911: Need for URL encoding in mod_redirect and possibly mod_rewriteFixedActions
Has duplicate Bug #1898: url.redirect matches the raw URL instead of the normalized URLDuplicate2009-02-12Actions

Added by stbuehler over 16 years ago

Revision 55479281 (diff)

Decode url before matching in mod_rewrite (#1720)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2278 152afb58-edef-0310-8abb-c4023f1b3aa9

Added by stbuehler over 16 years ago

Revision 345462a4 (diff)

Use decoded url for matching in mod_redirect (#1720)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2309 152afb58-edef-0310-8abb-c4023f1b3aa9

Added by stbuehler almost 16 years ago

Revision 2448 (diff)

Revert url decoding+simplifying before matching of mod_rewrite/mod_redirect (#1720)

Added by gstrauss over 6 years ago

Revision 3eb7902e (diff)

[core] server.http-parseopts URL normalization opt (fixes #1720)

server.http-parseopts = ( ... ) URL normalization options

Note: not applied to CONNECT method

Note: In a future release, URL normalization likely enabled by default
(normalize URL, reject control chars, remove . and .. path segments)
To prepare for this change, lighttpd.conf configurations should
explicitly select desired behavior by enabling or disabling:
server.http-parseopts = ( "url-normalize" => "enable", ... )
server.http-parseopts = ( "url-normalize" => "disable" )

x-ref:
"lighttpd ... compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
https://www.cvedetails.com/cve/CVE-2008-4359/
"Rewrite/redirect rules and URL encoding"
https://redmine.lighttpd.net/issues/1720

Actions
Copy link

Also available in: Atom