Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • by wickline (135) on 2002.11.09 10:59 (#14652) Journal
    I'm sure you're already aware, but for the benefit of anyone who might find the article from your link, mod_rewrite does not help as much in the security department as the article might leave you to think. Just because the "simple" form of the URL is validated by Apache does not mean that your script can't get bad input. Users may still call the script at its actual location with real CGI parameters and give bad input.

    Security through obscurity isn't. Always check user input in your CGI script, even if you're using mod_rewrite.

    On a less negative note, here's a fun bit of rewrite to map a subdomain to a subdirectory. It would need to be changed if your filesystem/server is not case sensitive (Mac folks serving from HFS+, Windows folks, etc). Actually, it should be doing case-insensitive checks on domain names in either case. I'll leave that as an excersize for anyone who cares (translation = my bad, too lazy to fix it right now). This could be handy for folks with wildcard DNS entries who want to start making use of that namespace.
    # catch foo subdomain requests (or even subdomains of foo)
    RewriteCond   %{HTTP_HOST}    ^foo\.example\.com$ [OR]
    RewriteCond   %{HTTP_HOST}   \.foo\.example\.com$
    # which are not requests for the following specific documents
    # (which we would rather have pulled from their normal paths
    RewriteCond   %{REQUEST_URI}                  !^/robots.txt
    RewriteCond   %{REQUEST_URI}                  !^/favicon.ico
    # and which don't already point to things in the foo directory
    RewriteCond   %{REQUEST_URI}                  !^/foo/
    # and re-write them to point to things in the foo directory
    RewriteRule   ^(.*)          http://%{HTTP_HOST}/foo/$1
     
    # for added consistancy, so our resources don't end up with
    # two URLs (ie: foo.example.com/foo/x and example.com/foo/x)
    # catch requests which aren't in the foo subdomain
    RewriteCond   %{HTTP_HOST}   !^foo\.example\.com$
    RewriteCond   %{HTTP_HOST}  !\.foo\.example\.com$
    # but which point to the foo subdirectory
    RewriteCond   %{REQUEST_URI} ^/foo/
    # and force them to the foo subdomain
    RewriteRule   ^(.*)          http://foo.example.com/$1
    You could do fancier things with this. I think some one already patented using a subdomain as a session ID though. Nice way to keep an ID with a session without having to re-write any links.

    -matt
    • Hi there,

      I must first admit that while I'm proudly at least somewhat of a geek, I'm a perl-idiot. I know enough to upload my perl cgi scripts with the right permission, and that's about it. And as far as .htaccess... well, um, I know about basic redirects :D

      That said, I humbly ask for your kind help.

      I run the site smilezone.com, and I just started up a blog at blog.smilezone.com. Everything's been relatively hunky dory since I discovered and implemented this in my .htaccess file to get the subdomain t