URL Rewrite of a value 2.0 - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

URL Rewrite of a value 2.0

hammerite

8:56 pm on Mar 21, 2017 (gmt 0)

10+ Year Member

Hi everyone,

So awhile back with some assistance I was able to come up with a valid way to extract some data from a users ssl certificate for further processing down the line by way of setting a header.

The string in question looked something like this:

sno=760081+%280xb9911%29&subject=C%3DXX%2C+O%3Dexample.com%2C+OU%3DBLAHBLAH%2C+OU%3DPKI%2C+OU%3DEMPLOYEE%2C+CN%3DLAST.FIRST.MIDDLE.1234567890&validfrom=Jan++1+00%3A00%3A00+2017+GMT&validto=Jan+31+23%3A59%3A59+2018+GMT&issuer=C%3DX.X%2C+O%3Dexample.com%2C+OU%3DBLAHBLAH%2C+OU%3DPKI%2C+CN%3DCA.example.com&policy_oids=2.16.840.1.101.2.1.11.42

To do so i ended up using:

RewriteCond %{HTTP:Client-Cert} (CN%3D)([A-Z-\s']+\.)(?:[A-Z-\s']+\.)*(\d+)
RewriteRule (.*) - [E=USER:%2%3]
RequestHeader set ID %{USER}e

Which finally results in:
LAST.1234567890

Whats happening now:

There was recently a hardware device installed before our webservers which is replacing spaces with a + symbol (easy to deal with) & an apostrophe replaced with a %27 (not easy to handle),I was able to modify the condition to handle the + by simply using:

RewriteCond %{HTTP:Client-Cert} (CN%3D)([A-Z-\s'+]+\.)(?:[A-Z-\s'+]+\.)*(\d+)

And that solved the issue for spaces. However we really need to revert the %27 back to an apostrophe somehow, the network device installed is not capable of doing so, I'm left with using apache regex to attempt to do this.

Can anyone think of a way to do this inside the condition in order to avoid adding a ton of rules, or If this can be done at all?

Thanks for your time everyone!

lucy24

9:58 pm on Mar 21, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Apache was definitely not designed for mass-replaces. You could rewrite incoming page requests to a quickie php script that performs all needed substitutions, but let's look for other options.

Can there be multiple apostrophes in the same request? Will they ever form part of the capture? Your existing Rule suggests not (if I'm reading the %2%3 correctly) so that helps. If so, you might be able to use something unattractive and messy-looking, like replacing all occurrences of
[A-Z\s'+-]+
with
(?:[A-Z\s'+-]|%27)+

Incidentally:
[A-Z-\s'+]
What's the second hyphen for? It may have unintended consequences; for safety I'd keep it as the very last item inside the grouping brackets if you mean a literal hyphen.

Hyphens at other positions in character classes where they can't form a range may be interpreted as literals or as errors. Regex flavors are quite inconsistent about this.

hammerite

1:30 am on Mar 22, 2017 (gmt 0)

10+ Year Member

Sadly, I will not be using PHP for this, far too many security flaws.

See this isn't a page request, but instead a header manipulation.

I used ([A-Z-\s'+]+\.)(?:[A-Z-\s'+]+\.)*(\d+)

As I had many instances of hyphenated last, first and middle names and all fields had to be parsed or the header value ended up NULL.

There can often be multitudes of awful combinations of the above coupled with multiple apostrophes. I'm seeing an impact, it's kind of irritating really. Where I could pick them out before with no problems at all. Now all apostrophes are being converted to %27.

So previously I would see users like l'a st.f'ir s-t.m-id dle.1234567890 and the current condition works perfectly. But with the new hardware in front of the server I'll find the very same user represented as l%27a st.f%27ir s-t.m-id dle.1234567890. Thanks for the ideas!

phranque

6:20 am on Mar 22, 2017 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

i think you can find some clues if you read jdmorgan's 2nd post in this 10 year old thread - A guide to fixing duplicate content & URL issues on Apache:
https://www.webmasterworld.com/apache/3208525.htm [webmasterworld.com]

it will help you into the deep end if you're up to it.
don't be intimidated by the enormity of the code.
just take it one ruleset at a time and i think you will recognize some techniques that may be adaptable to your solution.

(also note that post was written for apache 1.3.
if you cut-and-paste any code, verify nothing has changed regarding apache 2.x.
you should be okay - all the regular expression stuff should be unchanged.)

hammerite

4:14 pm on Apr 3, 2017 (gmt 0)

10+ Year Member

Sadly there is no clean way to revert it back into an apostrophe, so I just had those handful of usernames converted to the %27 and they were able to login. Doesn't matter to them they can't see it anyway. :) Thanks everyone!