Denying access to a script except by mod rewrite

Fix it!!

Denying access to a script except by mod rewrite

Postby aerra » Fri Feb 15, 2008 11:11 pm

I am having a bit of a problem, I am not sure if its an issue with how I'm using mod-rewrite or mod-rewrite isn't behaving as I expect it.

What I have is that when someone hits domain.com/test.gif it redirects to domain.com/script.cgi?test.gif using a rule like:

RewriteRule ^(.+)$ /script.cgi?$1 [PT,L]
(with proper gif only condition before it)

Problem is I don't want people to be able to go to script.cgi?test.gif externally.

There are a lot of resources online that suggest how to do this however none of them work. Ive tried:
RewriteRule ^/script.cgi.* / [F]

this always matches no matter if indirect or direct access so always shows frobidden.

Ive tried using REQUEST_URI and REDIRECT_URL as the CGI script shows that the first contains script.cgi is called directly but not if redirected and REQUEST_URL is blank if called directly. Unfortunately it seems that in Apache these actually have different values at the time of mod_rewrite executing (so they are the same be it a direct call or not).

I also tried some more unconventional things (Setting an ENV variable on the gif->script redirect and then only allowing script.cgi to be called if it is set, however by the time it does the gif->script redirect the env variable is no longer set).

I tried doing
RewriteRule ^script.cgi.* / [F,NS]

Thinking maybe the gif->script redirect was then executing through a sub request (as it isnt an external browser redirect) but no dice it always returns forbidden.

So part of the problem seems to lie that in after the initial match the entire ruleset is being rerun and it is being handled as a totally new request internally and I am not fully sure of why this is happening as from what I read it shouldn't be.


This is on Apache 2.2 for what its worth.
I could implement the REQUEST_URI check in the cgi script as that seems to reflect properly, however I would prefer to solve this with mod_rewrite for security reasons.

Let me know if I am missing anything, or anyone has any ideas. I figure it should be fairly possible to tell if a request was done through mod_rewrite rewrite or not. I know I could also have mod_rewrite append a secret key to the script.cgi and have script.cgi check for that but if someone was able to ever access the rewrite rule or an error message in script.cgi showed its url. Anyway any comments would be appericated:)
aerra
 
Posts: 1
Joined: Fri Feb 15, 2008 10:28 pm

Postby richardk » Sat Feb 16, 2008 3:18 pm

You can make sure that it is a mod_rewrite request (sub request) by making sure REDIRECT_STATUS is not empty
Code: Select all
Options +FollowSymLinks

RewriteEngine On

# It is NOT a sub request, REDIRECT_STATUS IS empty.
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^script\.php$ - [F,L]

RewriteRule ^(.+)$ /script.cgi?$1 [QSA,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: Google [Bot], Yahoo [Bot] and 2 guests

cron