homepage Welcome to WebmasterWorld Guest from 23.22.194.120
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Not Allowing Spam Words in a Query String - revisiting an old problem
bwnbwn




msg:4233852
 10:45 pm on Nov 22, 2010 (gmt 0)

I have an issue was afraid would pop up.
[webmasterworld.com...]

example.com/?something is throwing a 200 for our domain. I asked our it department to help me solve this issue when this came to light, but I just can't get them to take it on. Now I am seeing urls linking to our site using the above.

Problem is we rewrite the urls from our cms
example.com/?id=folder/something it rewritten to
example.com/folder/something.htm

I have tried to find a fix and just can't seem to understand the way to write the rule to allow the url to rewrite the rule correctly but not allow ?anything to 301 to a 404.

I assume I will have to allow ?id= to go through so the rules are not broken. This is a little over my head and I think our IT departmernt so if possible could some of the more advanced members help me out here.

 

sublime1




msg:4235806
 1:28 am on Nov 28, 2010 (gmt 0)

So your rewrite is blindly removing the ?id= query string parameter and tacking on a .htm?

Then what? Somewhere, you need rules or code that checks to make sure the request is valid before returning a 200 "OK" response. If your response is always a file, you could use the -f check in a RewriteCond.

Can you post an example of the actual rewrite rules from the .htaccess file?

Tom

g1smd




msg:4235863
 9:17 am on Nov 28, 2010 (gmt 0)

You just need to check THE_REQUEST contains a parameter using a RewriteCond, and then the associated RewriteRule will use the [F] flag to bar access.

It's two lines of code to fix the problem, and long as there are no URLs on the site using parameters.

Of course the server paths use parameters after the rewrite "inside the server", but we need to be sure that parameters are not used in URLs "out on the web".


Problem is we rewrite the URLs from our cms
example.com/?id=folder/something it rewritten to
example.com/folder/something.htm

Explaining it that way is what is confusing you.

What the rewrite actually does is accept a URL request from "out on the web" for example.com/folder/something.htm and fetch content from the internal path "inside the server" at /index.php?id=folder/something instead of the server internal path suggested by the URL.

A rewrite does not "change" any URLs. It changes where inside the server the content to fulfill a URL request will be fetched from.

Be aware that the slash is NOT a valid character for use in parameters. Using it, breaks the HTTP specifications.

jdMorgan




msg:4237640
 11:16 pm on Dec 1, 2010 (gmt 0)


# Alternate rule 1 - Forbid any client requests with query strings
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /[^?\ ]*\?[^\ ]*\ HTTP/
RewriteRule ^ - [F]
#
# Alternate rule 2 - Redirect client requests with query strings to remove the query string
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /[^?\ ]*\?([^\ ]*)\ HTTP/
RewriteRule ^(.*)$ http://www.example.com/$1? [R=301,L]

Jim

londrum




msg:4237787
 10:42 am on Dec 2, 2010 (gmt 0)

here's a little php thing that i use. all you've got to do is change the blah1 blah2 blah3 bit at the end so it contains the query strings that you actually allow, and then if someone visits a URL that contains anything else it will automatically be written out.

you'll have to add something at the end so that it redirects, though, otherwise nothing will happen.

$file_name = $_SERVER['SCRIPT_NAME'];
$query_string = $_SERVER['QUERY_STRING'];

function rebuildQueryString($ignore=array()) {
$ignore = array_flip($ignore);
$get = array();

foreach ($_GET as $key=>$val)
if (isset($ignore[$key])) {
$get[$key] = $key."=".urlencode($val);
}

return implode("&", $get);
}

if($query_string == ''){
$full_url = 'http://www.example.com'.$file_name;
} else {
$query_string = rebuildQueryString(array("blah1", "blah2", "blah3"));
$full_url = 'http://www.example.com'.$file_name.'?'.$query_string;}
}
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved