Menu
I have a set of rewrite rules (in a .htaccess) something like this:
RewriteRule ^list/vendor/(.*)$ list.php?vendor=$1
RewriteRule ^list/product/(.*)$ list.php?product=$1
RewriteRule ^list/(.*)$ list.php?search=$1
(I don't think the first two are relevant to my question, though).
When I type in myserver.com/list/foo%2Cbar or even myserver.com/list/foo/bar, I get the results I expect: list.php is called with foo,bar and foo/bar in $_GET['search'].
But if I type in myserver.com/list/foo%2Fbar, it seems that the rule doesn't match! I get a 404 error instead. What can be going on here? Apache 2.2.14, if it matters.
(I tried in Firefox and Chrome, same results -- but it could be the browser acting up, of course).
558
When RewriteRule is used in VirtualHost or server context with version 2.2.22 or later of httpd, mod_rewrite will only process the rewrite rules if the request URI is a URL-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see CVE-2011-3368 and CVE-2011-4317 ).
However, this approach still allows too many matches. We’re storing our matches as atoms, and will be passing them to a query string, so we have to be able to trust what we match. Matching anything with (.*) is too much of a potential security hazard, and, when used inappropriately, could even cause mod_rewrite to get stuck in a loop!
In my ubuntu it's placed at /etc/apache2/sites-available/default): After that, you should enable mod_rewrite with this command: The last one, restart your apache service: To ensure that, you can check it again from phpinfo in Configuration > apache2handler > Loaded Modules there must be written mod_rewrite and it means mod_rewrite is enabled.
A rewrite rule can be invoked in httpd.conf or in.htaccess. The path generated by a rewrite rule can include a query string, or can lead to internal sub-processing, external request redirection, or internal proxy throughput. Further details, discussion, and examples, are provided in the detailed mod_rewrite documentation.
Bah, I found it... Apache option AllowEncodedSlashes, which cannot be set per directory or from .htaccess, and which is Off by default.
Build-a-workaround time, if I can't get the hosting guys to turn it on in my virtual server.
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
