mod_rewrite 如何避过Apache的URL检测例程?
- WBOY原创
- 2016-10-12 10:04:101103浏览
有以下规则
<code><ifmodule mod_rewrite.c>
RewriteEngine On
RewriteOptions AllowAnyURI
Options +FollowSymLinks
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /index.php/$1 [QSA,PT,L]
</ifmodule></code>
我需要如下的URL模式:/resource:36
Log:
<code>[Wed Oct 12 09:02:01.484346 2016] [core:error] [pid 17112:tid 1888] (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:60133] AH00036: access to /resource:36 failed (filesystem path 'D:/Server/three/public/resource:36') [Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted [Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <requireany>: granted [Wed Oct 12 09:02:01.488348 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted [Wed Oct 12 09:02:01.489347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <requireany>: granted [Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted [Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <requireany>: granted [Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted [Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <requireany>: granted</requireany></requireany></requireany></requireany></code>
不重写就没问题:/index.php/resource:36
我找到了如下参考
mod_rewrite
AllowAnyURI
When RewriteRule is used in VirtualHost or server context with version 2.2.22 or later of httpd, mod_rewrite will only process the rewrite rules if the request URI is a URL-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see CVE-2011-3368 and CVE-2011-4317). To lift the restriction on matching a URL-path, the AllowAnyURI option can be enabled, and mod_rewrite will apply the rule set to any request URI string, regardless of whether that string matches the URL-path grammar required by the HTTP specification.
Available in Apache HTTP Server 2.4.3 and later.
是我理解错了么?
PS:sourceforge有这样格式的url:https://sourceforge.net/directory/natlanguage:chinesesimplified/os:windows/
补充:
类似如下的重写机制,个人亲测,在Apache的URL检测时期就返回403了,根本轮不到url重写模块
<code>RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]</code>
回复内容:
有以下规则
<code><ifmodule mod_rewrite.c>
RewriteEngine On
RewriteOptions AllowAnyURI
Options +FollowSymLinks
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /index.php/$1 [QSA,PT,L]
</ifmodule></code>
我需要如下的URL模式:/resource:36
Log:
<code>[Wed Oct 12 09:02:01.484346 2016] [core:error] [pid 17112:tid 1888] (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:60133] AH00036: access to /resource:36 failed (filesystem path 'D:/Server/three/public/resource:36') [Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted [Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <requireany>: granted [Wed Oct 12 09:02:01.488348 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted [Wed Oct 12 09:02:01.489347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <requireany>: granted [Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted [Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <requireany>: granted [Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted [Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <requireany>: granted</requireany></requireany></requireany></requireany></code>
不重写就没问题:/index.php/resource:36
我找到了如下参考
mod_rewrite
AllowAnyURI
When RewriteRule is used in VirtualHost or server context with version 2.2.22 or later of httpd, mod_rewrite will only process the rewrite rules if the request URI is a URL-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see CVE-2011-3368 and CVE-2011-4317). To lift the restriction on matching a URL-path, the AllowAnyURI option can be enabled, and mod_rewrite will apply the rule set to any request URI string, regardless of whether that string matches the URL-path grammar required by the HTTP specification.
Available in Apache HTTP Server 2.4.3 and later.
是我理解错了么?
PS:sourceforge有这样格式的url:https://sourceforge.net/directory/natlanguage:chinesesimplified/os:windows/
补充:
类似如下的重写机制,个人亲测,在Apache的URL检测时期就返回403了,根本轮不到url重写模块
<code>RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]</code>
思路大概是这样的,你写正则表达式的规则从URL抓取字符串,转发到index.php,当成一个参数,然后你自己写逻辑去解析这个字符串
所以你重写规则应该改成类似
<code>RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]</code>
然后尝试在str中解析,然后内部路由到具体类、方法执行再响应