Drongo_III Posted October 30, 2014 Share Posted October 30, 2014 Hi Guys This may be a silly question. Apologies in advance. Lets say I wanted to write a rewrite condition where I need to test both the query_string and the resquest_uri against the same regex. Is it possible to almost parametise these in one line? e,g. RewriteCond %{REQUEST_URI, QUERY_STRING} SOME-PATTERN etc. Or would I have to always split these across two lines using the [OR] flag: RewriteCond %{REQUEST_URI SOME-PATTERN etc. [OR] RewriteCond %{QUERY_STRING} SOME-PATTERN etc. Thanks, Drongo Quote Link to comment https://forums.phpfreaks.com/topic/292174-rewritecond-and-request-params/ Share on other sites More sharing options...
requinix Posted October 30, 2014 Share Posted October 30, 2014 (edited) It's possible but there's no good reason why you should. Stick with the [OR]ed solution because it's much easier to understand and work with. [edit] You do know REQUEST_URI will include the query string, right? What is it that you're testing that needs both? Or at the very least needs REQUEST_URI instead of just using RewriteRule? Edited October 30, 2014 by requinix Quote Link to comment https://forums.phpfreaks.com/topic/292174-rewritecond-and-request-params/#findComment-1495307 Share on other sites More sharing options...
Drongo_III Posted October 30, 2014 Author Share Posted October 30, 2014 It's possible but there's no good reason why you should. Stick with the [OR]ed solution because it's much easier to understand and work with. [edit] You do know REQUEST_URI will include the query string, right? What is it that you're testing that needs both? Or at the very least needs REQUEST_URI instead of just using RewriteRule? Thanks for the reply. So if I did wish to do it all in one line what is the correct syntax? Also, are you sure that request_uri contains the query string data? It's just on the apache website they state for request_uri: REQUEST_URI The path component of the requested URI, such as "/index.html". This notably excludes the query string which is available as as its own variable named QUERY_STRING. The real reason I'm exploring this is a long story but it has to do with trying to sniff out dodgy url encoded data to stop reflected xss attacks - i.e. through scripts appended to the url. I've seen fixes for this that all target the query string parameters but the xss attack i'm trying to fix doesn't use a query string. So I figured it would be prudent to run a condition on both the query string and the url. Incidentally this is for a flat php website so there isn't much I can do to protect the url besides htaccess. Quote Link to comment https://forums.phpfreaks.com/topic/292174-rewritecond-and-request-params/#findComment-1495312 Share on other sites More sharing options...
requinix Posted October 30, 2014 Share Posted October 30, 2014 Thanks for the reply. So if I did wish to do it all in one line what is the correct syntax?Concatenate the values, but that can mess up the matching if it tests for something that starts in one value and bleeds over into the other. Which is why I was saying not to do it. Also, are you sure that request_uri contains the query string data? It's just on the apache website they state for request_uri:I had remembered doing URL matching against the REQUEST_URI specifically, including matching stuff in the query string, but I guess I was doing that in PHP code rather than using mod_rewrite. So... no. Incidentally this is for a flat php website so there isn't much I can do to protect the url besides htaccess....and fix the injection point. Because I guarantee you that you won't be able to protect against everything an attacker can dream up by using just mod_rewrite. Quote Link to comment https://forums.phpfreaks.com/topic/292174-rewritecond-and-request-params/#findComment-1495313 Share on other sites More sharing options...
Drongo_III Posted October 30, 2014 Author Share Posted October 30, 2014 Thanks Requqinix - your advice is much appreciated. I will use the OR flag then to not complicate things I can't really fix the injection for this xss attack as it's based on someone appending to a valid url. So I'm not sure how I've thwart that. I have another post on here where it's all explained: http://forums.phpfreaks.com/topic/292145-reflected-xss/ I was looking to use x-content-security-policy header but I've since read that trying to recognise certain patterns in the url is also a way to go. How would you recommend getting around an xss where someone appends something like this to the url? %22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E6f54e?sub=t Sorry btw - don't mean to start covering things from other threads but as it came up... Quote Link to comment https://forums.phpfreaks.com/topic/292174-rewritecond-and-request-params/#findComment-1495319 Share on other sites More sharing options...
requinix Posted October 30, 2014 Share Posted October 30, 2014 I had a reply drafted for that other thread. Guess I didn't send it. XSS is always fixable. You might be using something like PHP_SELF in... I don't know, is that a ? For a form specifically you can leave the action empty to have the page post back to itself, but if you must use it then you should htmlspecialchars() the value so the quotation mark they embedded in the URL (%22) doesn't break your HTML and thus lead to XSS. Post the code for whatever generates the HTML that the XSS is exploiting (so put that in your browser, do a View Source on the page, and see where it's being outputted) and it'll take all of a few seconds to correct it. The problem with things like X-Content-Security-Policy is they rely on browser support - IE being the problem child, as always. You can return it if you wish but you still have to do everything else. Quote Link to comment https://forums.phpfreaks.com/topic/292174-rewritecond-and-request-params/#findComment-1495323 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
× Pasted as rich text. Restore formatting
Only 75 emoji are allowed.
× Your link has been automatically embedded. Display as a link instead
× Your previous content has been restored. Clear editor
× You cannot paste images directly. Upload or insert images from URL.