Server Forces Download Before Checking .htaccess

Forum Moderators: phranque

Message Too Old, No Replies

Server Forces Download Before Checking .htaccess

The server allows a file to be downloaded before checking the .htaccess

Daleeburg

4:59 pm on Sep 24, 2007 (gmt 0)

I have been struggling with a rewrite rule for about a month now. Here it is.


RewriteEngine On
Options +FollowSymLinks# Rewrite /file_man/files/#*$!x/yyyy.zzz to test.php?file=yyyy&type=zzz&user=#*$!x
RewriteRule ^file_man/files/([^/]+)/([^\.]+).([^/]+)$ /file_man/test.php?user=$1&file=$2&type=$3 [NC,L]

I could not get the thing to work, but on accident i typed in the name of a file that did not exist and it worked fine. The problem is that I am trying to protect files that do exist. Apparently Apache sees there is a file that the url is referring to and allows downloading before it checks the .htaccess to learn that it should rewrite this url to run it though a confirmation script. Any way to reverse this?

jdMorgan

9:08 pm on Sep 24, 2007 (gmt 0)

What "downloadable" filetypes are involved?

What version of Apache are you running?

Where is this .htaccess code located? In your Web root directory, or elsewhere?

Do you have any other "rewrite to script" rules or mod_alias directives in this .htaccess file, in any .htaccess file(s) above this one, or in the httpd.conf server config file?

Generally, it requires "some other agent" to cause Apache to exit the URL-to-filename translation API phase (where .htaccess is processed) and enter the content-handling phase. Apache core will not do this by itself, so I'm looking for that other "agent" or agents.

Jim

jdMorgan

9:14 pm on Sep 24, 2007 (gmt 0)

Also, if "file_man" is actually a shared cgi script, then mod_rewrite may be bypassed if the script is "Aliased" in httpd.conf. A work-around would be to never call file_man directly, but use an alternate URL for it and also rewrite that URL. So basically, you don't allow the file_man alias directive to be activated, except after mod_rewrite has rewritten its new URL to the 'real' one that the Alias directive handles, and so you can then be sure that your mod_rewrite rules will be processed.

Another work-around, possibly simpler, might be to move all the content files out from under the file_man directory, so the alias only applies to the script itself.

That's all I can come up with based on the provided info.

Jim

Daleeburg

2:03 pm on Sep 26, 2007 (gmt 0)

I am running WAMP 5 v1.7.3, with the mod_rewrite module running\

It has Apache 1.3

File_man is a folder on the server

The htaccess is in the folder file_man

That is the whole htaccess file

The problem is that I am trying to protect these files from unatherized users downloading them.

I am currently working on my test server, I will try uploading it today and running it hidden on my web server and see if it is just something with my test server.

Thanks
~D

Daleeburg

2:17 pm on Sep 26, 2007 (gmt 0)

I tried it on the production server and It works fine, so I really am not horrily worried, but it would be nice to know why my test server is acting that way.

jdMorgan

2:20 pm on Sep 26, 2007 (gmt 0)

Not to overlook the obvious, but did you completely flush your browser cache after changing the .htaccess code on your test server? If not, your browser would have continued to show you the request results it had cached locally, until the cache expired or was overwritten by newer page requests.

Jim

Daleeburg

6:39 pm on Sep 26, 2007 (gmt 0)

Yes, I did. I have made that mistake before and felt really stupid.

Gibble

6:47 pm on Sep 26, 2007 (gmt 0)

Don't feel stupid, we've ALL made that mistake before, and probably all will again.