Welcome to WebmasterWorld Guest from 18.206.194.210

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Need help with Redirect from an Alias path to a real file

I want to conceal the destination of a form script

     
10:49 pm on Dec 12, 2003 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts:319
votes: 0


Hi all.

I have a Website that uses CGIEmail 1.6, which uses text templates to send replies to the recipients. The CGIemail Perl script is above my web-root in a cgi-bin directory that I cannot access by my FTP client, but the html forms and template files reside in my web-root, which I can access. The web host has configured their .htaccess files so that calls to cgi-bins are sent to the correct website, but above the visible root, and they then read the template files in each client's root directory and email the form results to us.

I want to conceal the destination script and template names from prying eyes, so in my comments form I want to change the POST destination from:
action="/cgi-bin/cgiemail/template.txt"
to
action="/c/r/1"

I want POSTs to /c/r/1 to go to the actual script and template locations. Is this the correct syntax to do what I want?

RedirectMatch /c/r/1 ht*p//w*w.mydomain.tld/cgi-bin/cgiemail/mytemplate.txt

The owner of the website doesn't like me experimenting with scripts that might cause server errors and lock out any potential business, so I need to develop correct code offline.

Wiz

12:16 am on Dec 13, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


A couple of points:

RedirectMatch uses regular expressions, so that pattern should probably be anchored, and special characters escaped.

If you use Redirect<anything>, you're going to create an external redirect, therefore requiring the client to re-request (re-post) the form to the 'real' URL.

I'd suggest you use mod_rewrite to create a server-internal URL rewrite only.

This may not be possible, either though -- since you'll need to know the actual local filepath to the script.

Jim

12:59 am on Dec 13, 2003 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts:319
votes: 0


Jim;
That is my dilemna. I have to specify a full http path to the cgi-bin script, because it is above my visible web root, rather than being a subdirectory.

So, with that in mind, what needs to be escaped in these statements:

RedirectMatch ^/c/r/1$ http//www.mydomain.tld/cgi-bin/cgiemail/mytemplate.txt
?
Is it the three periods on the right side?

W

1:07 am on Dec 13, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


If you use the pattern exactly as shown, nothing needs to be escaped. The stuff on the right side is a literal substitution string, not a regex pattern.

However, if you use an external redirect, you are, in effect, handing the browser the correct address -- so I'm not sure there's any advantage to this exercise at all.

I've got the exact same setup on one of my hosts, and concluded there wasn't much I could do except block obviously-external referrers to the form. :(

Jim

1:20 am on Dec 13, 2003 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts:319
votes: 0


Now I understand what you were telling me. The addressbar will display the redirected URL, if a human submits the form. This is not going to improve security for the cgiemail forms or templates, so I'll drop the subject. Thanks for the help.

W

2:14 am on Dec 13, 2003 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts:319
votes: 0


One followup question;

Is this the correct syntax for an internal Rewrite to protect against hacked forms being submitted to our email script?


RewriteCond %{REQUEST_URI} /cgi\-bin/cgiemail/.? [NC]
RewriteCond %{HTTP_REFERER}!^http://www\.ourdomain\.com/(register¦contact¦reports)\.htm$
RewriteRule .* - [F]

Thanx, Wiz

6:48 am on Dec 13, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Wiz,

RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://www\.ourdomain\.com/(register¦contact¦reports)\.htm$
RewriteRule ^cgi-bin/cgiemail/ - [F]

  • You'll almost certainly have to allow blank referrers, unfortunately. The first RewriteCond can be interpreted as saying, "if the referer is not blank" since it will match if there is any character(s) in the referrer. You could also write that as "!^$".
  • No need to escape the "-" character.
  • Leave the [NC] off unless you have links to cgiemail that are uppercase.
  • Because of the way that mod_rewrite works, RewriteConds are not processed unless the pattern in the RewriteRule is matched. Because of this, it is best to avoid the use of "RewriteRule .*" whenever there are lots of RewriteConds. As a matter of fact, it is best to arrange RewriteConds so that the ones most likely to fail come first... You want to "get out" as soon as possible if the Rule and Cond patterns don't match in order to speed things up. In other words, if you're gonna skip a rule, it's best to skip it as soon as possible.
  • This ruleset won't help you if your host intercepts and redirects the request for cgiemail before it gets to your code.

    If that is the case, then protect your forms:


    RewriteCond %{HTTP_REFERER} .
    RewriteCond %{HTTP_REFERER} !^http://www\.ourdomain\.com
    RewriteRule ^(register¦contact¦reports)\.htm$ - [F]

    Jim
  • 1:56 pm on Dec 13, 2003 (gmt 0)

    Full Member

    10+ Year Member

    joined:May 5, 2003
    posts:319
    votes: 0


    Jim;
    Thanks again for that concise explanation.

    Wiz