httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] How to serve up different content depending on authenticated user
Date Thu, 05 Feb 2009 08:41:53 GMT
Matt McCutchen wrote:
> On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote:
>> I managed to do something similar in the end, using the prefix user_
>> for each user directory then adding .htaccess to root dir of:
>>
>> AuthType Basic
>> AuthName "Restricted Files"
>> AuthUserFile /var/www/passwd/htpasswd
>> Require valid-user
>>
>> RewriteEngine on
>> RewriteCond $1 !^user_
>> RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$
>> RewriteRule (.*) /var/www/accesstest/user_%1/$1 [
>>
>> The only problem with this is that any user could access other users
>> directories... so I then had to add an additional .htaccess of 
>>
>> require user spidie
>>
>> to the user_spidie directory... etc etc.
> 
> If you put the rewrite rules in the main server configuration rather
> than an htaccess file, you don't have to worry about them being run
> multiple times, so you can drop the user_ prefix and condition.  You
> don't need to condition on %{REMOTE_USER} either because rewrite rules
> don't run until after the user gains authorization.  The rule I gave
> earlier (updated for your directory name) should just work:
> 
> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
> 
(Not trying to be sarcastic here, it's a genuine question)

What happens if Evil Hacker me, logs in as user1 and then request in my 
browser http://foo.com/../user2/index.html ?
Taken literally, the RewriteRule above should rewrite this as
/var/www/accesstest/user1/../user2/index.html
no ?
Is some other inner security measure stripping that .. somewhere ?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message