Menu
I've been looking at the [NE] (noescape) flag in mod_rewrite. After some thought I couldn't figure out a situation when I would NOT want to use the flag. Meaning, it seems most helpful to keep the flag enabled in almost every RewriteRule. Not invoking this flag has caused me problems in a few circumstances.
Most of the rules that I deal with are HTTP redirects ([R]), rather than passing through.
Would someone shed some light as to when it is helpful to have mod_rewrite encode the URL?
Is it generally good practice to enable this flag, or use the default behavior of allowing mod_rewrite escape these special characters? Why?
931
RewriteRule "\.exe" "-" [F] This example uses the "-" syntax for the rewrite target, which means that the requested URI is not modified. There's no reason to rewrite to another URI, if you're going to forbid the request.
mod_rewrite is an Apache module that allows for server-side manipulation of requested URLs. mod_rewrite is an Apache module that allows for server-side manipulation of requested URLs. Incoming URLs are checked against a series of rules. The rules contain a regular expression to detect a particular pattern.
In your rewrite, the ^ signifies the start of the string, the (. *) says to match anything, and the $ signifies the end of the string. So, basically, it's saying grab everything from the start to the end of the string and assign that value to $1.
htaccess rewrite rules can be used to direct requests for one subdirectory to a different location, such as an alternative subdirectory or even the domain root. In this example, requests to http://mydomain.com/folder1/ will be automatically redirected to http://mydomain.com/folder2/.
If you look at the source code for mod_rewrite, you'll notice that it sets a proxy-nocanon flag if noescape is enabled.
In the revision where that line was first added, it also included this comment:
make sure that mod_proxy_http doesn't canonicalize the URI, and preserve any (possibly qsappend'd) query string in the filename for mod_proxy_http:proxy_http_canon()
Following on from that, if you read the mod_proxy documentation, you'll see the following mention of nocanon:
Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional nocanon keyword suppresses this, and passes the URL path "raw" to the backend. Note that may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy.
I'm may be mistaken, but that implies to me that the use of nocanon in mod_proxy (and by extension noescape in mod_rewrite) has potential security ramifications. That would explain why it is disabled by default, even thought it seems like it would be more useful to have it enabled in most cases.
117
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
