Mod_Rewrite Forums

[sinfocol]

Hi everybody, I have some problems making a rule in my .htaccess, I searched a similar problem but I didn't find any solution.

I have a folder in my http server: http://localhost/webcam/, I'm trying to emulate the WebcamXP server, it works in this way:
1. Get the request
2. If the file exists, WebcamXP shows it
for example:
http://webcamxp/home.html -> exists -> show
http://webcamxp/gallery/image.jpg -> exists -> show
http://webcamxp/12354512 -> it doesn't exist -> don't show
http://webcamxp/../../../../../../../../boot.ini -> it doesn't exists because firefox replace ../ to '' -> don't show
http://webcamxp/..%2f..%2f..%2f..%2f..%2fboot.ini -> exists -> show

I made this .htaccess, but it fails when find the %2f..%2f

Code: Select all

RewriteEngine On
Options +FollowSymlinks
RewriteBase /webcam/
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?$1 [NE,L]

I think is because I used {REQUEST_URI}, but I'm newbie in this topic.
Thanks for advance[/code]

I read again this post, and I thinks that it isn't explained
The purpose of my .htaccess is:
1. Show the files that exists
2. If the file, or directory doesn't exists, then redirect all the trafic to a file called index.php
for example:
http://localhost/webcam/home.html -> exists -> show
http://localhost/webcam/123 -> doesn't exists -> redirect "123" to index.php
http://localhost/webcam/gallery/image.jpg -> exists -> show
http://localhost/webcam/gallery/imagen_s -> doesn't exists -> redirect "gallery/imagen_s" to index.php
http://localhost/webcam/any_char_here -> doesn't exists -> redirect "any_char_here" to index.php
Redirect the string after "/webcam/" to index.php if the file doesn't exists.

Edited:
I probe mi .htaccess and it fails when the %2F is found in the request filename, for example:
http://localhost/webcam/string%2f
But when I probe it in the query string, it doesn't fails
http://localhost/webcam/string?things%2f

Another thing, I saw all the spam messages, you can change the CAPTCHA of this site because the captcha is vulnerable, and for that all those users can register...
You can read about captchas here: http://www.phpbb.com/blog/2008/08/28/captchas-in-phpbb/

[richardk]

I probe mi .htaccess and it fails when the %2F is found in the request filename, for example:
http://localhost/webcam/string%2f
But when I probe it in the query string, it doesn't fails
http://localhost/webcam/string?things%2f

What error do you get?

For a request to example.com/..%2ffile the %{REQUEST_FILENAME} (and %{SCRIPT_FILENAME}) variable will almost certainly be /your/document/root/..%2ffile.

/webcamxp/..%2f..%2f..%2f..%2f..%2fboot.ini -> exists -> show

You can't display files outside your document root.

[sinfocol]

The error is a 404 error - document not found.
I was reading in another websites, and the solution to this is set an option in the httpd.conf configuration file: http://httpd.apache.org/docs/2.0/mod/co ... dedslashes , but I don't have the right to do that

I know that we can't view the files outside the document root, and for that I want to make a rule. Im trying to emulate the WebcamXP server, to mount an informatic challenge on my website. And for that I want to make a rule where all the content then of the "webcam/" string be redirected to a index.php file.

Thanks.

[richardk]

The error is a 404 error - document not found.
I was reading in another websites, and the solution to this is set an option in the httpd.conf configuration file: http://httpd.apache.org/docs/2.0/mod/co ... dedslashes , but I don't have the right to do that

Then you can't do it (unless you use the query string instead).

The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on according systems) to be used. Normally such URLs are refused with a 404 (Not found) error.

[sinfocol]

How can I do with QUERY_STRING to return if the file exists, if it is impossible todo, how can I redirect all the traffic to index.php (Here I don't care if the file exists or no, because the index.php can show it)
Thanks for your help richard

[richardk]

How can I do with QUERY_STRING to return if the file exists

With

Code: Select all

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} -f
RewriteRule ^$ /index.php [QSA,L]

if you visited /?C:/dir/file.ext it would check if it existed, and if it did it would send the request to index.php. Relative paths are unlikely to work (i haven't tried though).

how can I redirect all the traffic to index.php

Code: Select all

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^(.+)$ /index.php?$1 [QSA,L]

[sinfocol]

It didn't works, I tried to access "http://localhost/..%2f..%2f", but the server throws Not found, I will try with "THE_REQUEST" option, and then I will post here the output for the .htaccess.
Thanks again for your help, any idea to implement?

I used this:
RewriteEngine On
Options +FollowSymlinks
RewriteBase /webcamxp/
RewriteRule ^(.*)$ index.php?%{THE_REQUEST} [NE,L]

It works with any char and shows me all the HTTP header "GET /string HTTP/1.1", but when I used ..%2f..%2f it fails, and shows me the same Not found. I don't know what to do

[richardk]

It didn't works, I tried to access "http://localhost/..%2f..%2f", but the server throws Not found

Then you can't do it.

It works with any char and shows me all the HTTP header "GET /string HTTP/1.1", but when I used ..%2f..%2f it fails, and shows me the same Not found.

Don't use %2f, use /.