>  기사  >  백엔드 개발  >  mod_rewrite는 Apache의 URL 감지 루틴을 어떻게 우회합니까?

mod_rewrite는 Apache의 URL 감지 루틴을 어떻게 우회합니까?

WBOY
WBOY원래의
2016-10-12 10:04:101170검색

有以下规则

<code><IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteOptions AllowAnyURI
  Options +FollowSymLinks 
  RewriteBase /
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteRule ^(.*)$ /index.php/$1 [QSA,PT,L]
</IfModule></code>

我需要如下的URL模式:/resource:36

Log:

<code>[Wed Oct 12 09:02:01.484346 2016] [core:error] [pid 17112:tid 1888] (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:60133] AH00036: access to /resource:36 failed (filesystem path 'D:/Server/three/public/resource:36')
[Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.488348 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.489347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted</code>

不重写就没问题:/index.php/resource:36
我找到了如下参考

mod_rewrite

AllowAnyURI

When RewriteRule is used in VirtualHost or server context with version 2.2.22 or later of httpd, mod_rewrite will only process the rewrite rules if the request URI is a URL-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see CVE-2011-3368 and CVE-2011-4317). To lift the restriction on matching a URL-path, the AllowAnyURI option can be enabled, and mod_rewrite will apply the rule set to any request URI string, regardless of whether that string matches the URL-path grammar required by the HTTP specification.
Available in Apache HTTP Server 2.4.3 and later.

是我理解错了么?
PS:sourceforge有这样格式的url:
https://sourceforge.net/directory/natlanguage:chinesesimplified/os:windows/


补充:
类似如下的重写机制,个人亲测,在Apache的URL检测时期就返回403了,根本轮不到url重写模块

<code>RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]</code>

回复内容:

有以下规则

<code><IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteOptions AllowAnyURI
  Options +FollowSymLinks 
  RewriteBase /
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteRule ^(.*)$ /index.php/$1 [QSA,PT,L]
</IfModule></code>

我需要如下的URL模式:/resource:36

Log:

<code>[Wed Oct 12 09:02:01.484346 2016] [core:error] [pid 17112:tid 1888] (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:60133] AH00036: access to /resource:36 failed (filesystem path 'D:/Server/three/public/resource:36')
[Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.488348 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.489347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted</code>

不重写就没问题:/index.php/resource:36
我找到了如下参考

mod_rewrite

AllowAnyURI

When RewriteRule is used in VirtualHost or server context with version 2.2.22 or later of httpd, mod_rewrite will only process the rewrite rules if the request URI is a URL-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see CVE-2011-3368 and CVE-2011-4317). To lift the restriction on matching a URL-path, the AllowAnyURI option can be enabled, and mod_rewrite will apply the rule set to any request URI string, regardless of whether that string matches the URL-path grammar required by the HTTP specification.
Available in Apache HTTP Server 2.4.3 and later.

是我理解错了么?
PS:sourceforge有这样格式的url:
https://sourceforge.net/directory/natlanguage:chinesesimplified/os:windows/


补充:
类似如下的重写机制,个人亲测,在Apache的URL检测时期就返回403了,根本轮不到url重写模块

<code>RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]</code>

思路大概是这样的,你写正则表达式的规则从URL抓取字符串,转发到index.php,当成一个参数,然后你自己写逻辑去解析这个字符串

所以你重写规则应该改成类似

<code>RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]</code>

然后尝试在str中解析,然后内部路由到具体类、方法执行再响应

성명:
본 글의 내용은 네티즌들의 자발적인 기여로 작성되었으며, 저작권은 원저작자에게 있습니다. 본 사이트는 이에 상응하는 법적 책임을 지지 않습니다. 표절이나 침해가 의심되는 콘텐츠를 발견한 경우 admin@php.cn으로 문의하세요.