Project

General

Profile

Bug #1778

Possible php security issue?

Added by Anonymous almost 12 years ago. Updated over 11 years ago.

Status:
Missing Feedback
Priority:
Normal
Category:
mod_rewrite
Target version:
ASK QUESTIONS IN Forums:

Description

I recently yum installed a fresh copy of lighttpd onto my server, i'm migrating from apache.

I have a very simple site and required the default installation except i enabled php, mod_rewrite and mod_fastcgi.

I also added a line to the conf:


url.rewrite = (
        "^/local/(.*)" => "/local.php/$1",
        "^/site/(.*)" => "/site.php/$1" 
        )

My site has links like :
/site/top_100/100.html

that are passed to a script called 'site.php'

Now here is where things get weird, this link below works fine and executes the script 'site.php' as intended:
/site/contact/200.html (works)

but this link below, lightppd will display the source of the site.php file:
/site/top_100/100.html (displays source of 'site.php')

however, this link below DOES work:
/site/top100/100.html

I've tested it with other links on the site, and it will for some odd reason execute some links, then dump the source of the 'site.php' script file on others that are almost the same. It also DOES work when the underscore is present in some links like :

/site/en_abcd_org/91924.html (works perfectly fine)
but
/site/buzz_100/600.html (displays the source of the script file.)

Is my rewrite syntax off, or is this a bug? This is on a fresh install of Fedora 9.

Mike Brown

-- lost_ark

#1

Updated by stbuehler almost 12 years ago

Test with curl (and clear your browser-cache); if it really doesn't work paste your lighty version and the complete config.

#2

Updated by stbuehler almost 12 years ago

  • Status changed from New to Fixed
  • Resolution set to worksforme

missing feedback.

#3

Updated by stbuehler over 11 years ago

  • Status changed from Fixed to Missing Feedback

Also available in: Atom