Re: php scripts and tripple slashes

"Jeff" <jeff@xxxxxxxxxxxxxxx> schreef in bericht news:4p6dnVj8d98da33VnZ2dnUVZ_q7inZ2d@xxxxxxxxxxxxxxxx
mijn naam wrote:
"Erwin Moller" <Since_humans_read_this_I_am_spammed_too_much@xxxxxxxxxxxxxxxx> schreef in bericht news:48e0ebcb$0$187$e4fe514c@xxxxxxxxxxxxxxxxx

http://hostname/debug/one/two///three/four

in other words: http://{$_SERVER["SERVER_NAME"]}{$_SERVER["REQUEST_URI"]}

OK, that makes sense then for $_SERVER["REQUEST_URI"].

I don't see how/why PHP fills $_SERVER["PHP_SELF"] with:
/debug/one/two/debug.php/one/two/three/four
for that URL if you don't play with mod_rewrite.

I'm sure I disabled mod_rewrite. At the server restart, apache complained "Invalid command 'RewriteLog', perhaps mis-spelled or defined by a module not included in the server configuration" ( I forgot to remove one such line at first).


Your url:
http://hostname/debug/one/two///three/four
DOESN'T name any php script, so HOW is this fed to a PHP script without mod_rewrite???

the php script is debug.php ...

Are you sure you are telling the whole story?

... and apache is setup with options MultiViews. I didn't hide that on purpose.

What about simply dismissing a request that has more than one / in the URL?
That must be an invalid request, since (I expect) you deliver the directorylinks yourself, and thus correctly formatted.

That would also be an option. However: nobody's perfect, a mistake is easily made e.g. $ptr="./{$dir}/{$path}"; what if path starts with a slash, dir starts or ends with a slash, dir is empty, and so on. Apache couldn't care less and will happily serve .///something/different.html

Note that two slashes, as in http:// is part of the protocol.

If I serve http://some_domain.com//some_path, this will look like http://some_domain.com/http://somepath, or something like that..

I've stayed out of this thread because I'm hazy on this, but you should be aware that serving two slashes will be interpreted differently than what you want, it is not directory separator.


Not on the apache servers I'm dealing with. You could be right for other servers.

Anyway, I'm trying to have proper URL's on my end, and at the same time I want to be prepared if anyone/anybot is trying trickery on me.

For now I'll use that workaround of redirecting to a cleaned up version of the URI.

But I still would appreciate any insight on the problem I found.

.

Relevant Pages

  • Bots hitting my web server?
    ... I know of two boxes that had apache running on them. ... and used by someone/something to fetch pages from remote servers. ... cases, ads but in most cases, porn. ... they would come back in a torrent of requests. ...
    (Incidents)
  • Re: Apache and Tux running together
    ... my job we've got a web based product provided by Apache running PHP ... This web application is hosted by multiple servers ... and MySQL totalling 15 Megs of ram), ...
    (comp.lang.php)
  • FreeBSD 6 Jails - REJ apache processes? [was: Apache 2 in 6.0 jails: Connection refused: connect
    ... Sorry to insist, really, but this bug is really annoying: today, two more apache servers have frozen while being scanner by a crawler: ... I did the same for sockstat and netstat -a, each time before and after the apache restart: ... Connection refused: connect to listener on 0.0.0.0:80 [Sat Jul ...
    (freebsd-questions)
  • Re: Warning: robots.txt unreliable in Apache servers
    ... > Subject: Warning: robots.txt unreliable in Apache servers ... server has to do is deliver the robots.txt file to the bot. ... I use Mozilla as my Web browser because I want a browser that ...
    (comp.infosystems.www.authoring.html)
  • Re: bill gates claim about security vulnerabilities per LOC in Unix versus Windows
    ... > of how their systems work. ... the most common systems in use, but didn't the latest NetCraft survey ... we can agree that the absolute populations of ISS and Apache servers are ...
    (SecProg)