mod_rewrite 如何避过Apache的URL检测例程？-php教程-PHP中文网

mod_rewrite 如何避过Apache的URL检测例程？

php中文网

发布： 2016-10-12 10:04:10

原创

1230人浏览过

有以下规则

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteOptions AllowAnyURI
  Options +FollowSymLinks 
  RewriteBase /
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteRule ^(.*)$ /index.php/$1 [QSA,PT,L]
</IfModule>

登录后复制

我需要如下的URL模式:/resource:36

Log:

[Wed Oct 12 09:02:01.484346 2016] [core:error] [pid 17112:tid 1888] (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:60133] AH00036: access to /resource:36 failed (filesystem path 'D:/Server/three/public/resource:36')
[Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.488348 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.489347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted

登录后复制

不重写就没问题：/index.php/resource:36
我找到了如下参考

mod_rewrite

AllowAnyURI When RewriteRule is used in VirtualHost or server context with version 2.2.22 or later of httpd, mod_rewrite will only process the rewrite rules if the request URI is a URL-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see CVE-2011-3368 and CVE-2011-4317). To lift the restriction on matching a URL-path, the AllowAnyURI option can be enabled, and mod_rewrite will apply the rule set to any request URI string, regardless of whether that string matches the URL-path grammar required by the HTTP specification.Available in Apache HTTP Server 2.4.3 and later.

是我理解错了么？
PS:sourceforge有这样格式的url：
https://sourceforge.net/directory/natlanguage:chinesesimplified/os:windows/

补充：
类似如下的重写机制，个人亲测，在Apache的URL检测时期就返回403了，根本轮不到url重写模块

RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]

登录后复制

回复内容：

有以下规则

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteOptions AllowAnyURI
  Options +FollowSymLinks 
  RewriteBase /
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteRule ^(.*)$ /index.php/$1 [QSA,PT,L]
</IfModule>

登录后复制

我需要如下的URL模式:/resource:36

Log:

[Wed Oct 12 09:02:01.484346 2016] [core:error] [pid 17112:tid 1888] (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:60133] AH00036: access to /resource:36 failed (filesystem path 'D:/Server/three/public/resource:36')
[Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.486347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.488348 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.489347 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.490349 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted
[Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of Require all granted: granted
[Wed Oct 12 09:02:01.492351 2016] [authz_core:debug] [pid 17112:tid 1888] mod_authz_core.c(806): [client 127.0.0.1:60133] AH01626: authorization result of <RequireAny>: granted

登录后复制

不重写就没问题：/index.php/resource:36
我找到了如下参考

mod_rewrite

AllowAnyURI When RewriteRule is used in VirtualHost or server context with version 2.2.22 or later of httpd, mod_rewrite will only process the rewrite rules if the request URI is a URL-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see CVE-2011-3368 and CVE-2011-4317). To lift the restriction on matching a URL-path, the AllowAnyURI option can be enabled, and mod_rewrite will apply the rule set to any request URI string, regardless of whether that string matches the URL-path grammar required by the HTTP specification.Available in Apache HTTP Server 2.4.3 and later.

是我理解错了么？
PS:sourceforge有这样格式的url：
https://sourceforge.net/directory/natlanguage:chinesesimplified/os:windows/

补充：
类似如下的重写机制，个人亲测，在Apache的URL检测时期就返回403了，根本轮不到url重写模块

RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]

登录后复制

思路大概是这样的，你写正则表达式的规则从URL抓取字符串，转发到index.php，当成一个参数，然后你自己写逻辑去解析这个字符串

所以你重写规则应该改成类似

RewriteRule ^(.*)$ index.php?str=$1 [QSA,PT,L]

登录后复制

然后尝试在str中解析，然后内部路由到具体类、方法执行再响应