Ticket #1230 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

appending / to URL breaks access-deny setting

Reported by: jay@jayr.biz Assigned to: jan
Priority: normal Milestone: 1.5.0
Component: core Version: 1.4.15
Severity: normal Keywords:
Cc: Blocking:
Need Feedback:

Description

If a / is appended to a URL, lighttpd incorrectly serves the original URL.

i.e. a request for

http://www.ahost.com/graphics/image.jpg/

will result in lighty serving the file at

http://www.ahost.com/graphics/image.jpg

This breaks access-deny settings! For instance, if I have configured lighty to deny hot-linked .jpg's like this:

$HTTPreferer? !~ "($|http://www.ahost.com)" {

url.access-deny = ( ".jpg" )

}

Then the hot-linked request for "http://www.ahost.com/graphics/image.jpg" will be denied...

But the hot-linked request for "http://www.ahost.com/graphics/image.jpg/" will be served and the access-deny setting will not be obeyed. This means that any hot-linker can get around my access-deny settings by appending the "/" to the file he wants to hot-link.

The solution is for lighty to not serve up the original file when a request for that file with an appened "/" is made.

Attachments

Change History

06/15/2007 02:48:38 PM changed by jan

  • status changed from new to closed.
  • resolution set to fixed.

One solution is to use static-file.exclude-extentions = ( ".jpg" ) instead or wait for [1871] to appear.

Add/Change #1230 (appending / to URL breaks access-deny setting)




Change Properties
Action