Page 1 of 1

Interesting .htaccess

Posted: Fri Dec 19, 2008 1:01 am
by alex.barylski
From the Joomla .htaccess:

Code: Select all

 
#1 Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
 
#2 Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
 
#3 Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
 
#4 Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
 
#5 Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
 
#6 Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
 
A few questions before I copy this verbatim... :)

1. Is that really nessecary? Isn't this better handled by disabling this feature in php.ini

3. I like this one...very clever I think

4. Isn't this doing the same things as #1?

5. Same as above?

6. Isn't it forwarding the request to index.php?

I'd like the opinion of someone more .htaccess savvy than myself to go over this quickly and agree, disagree and hopefully explain why.

Cheers,
Alex

Re: Interesting .htaccess

Posted: Wed Jan 28, 2009 1:23 am
by josh
1 - no, not necessary, yes better with php.ini, obviously most of their users are pretty limited though.

3. Eh, I think its pretty pointless if your app was secure, seeing as they have a track record of insecure plugin authors it makes sense but I'd rather see them enforce adhering to the framework's way of programming. I see plugin authors completely re implement the stuff Joomla already does, which is annoying for other programmers at best

4 - no

5 - no, but probably equally as pointless.

6 - I dont understand your question, its just saying if any of the previous rules match then it will redirect to the homepage, as a last rule, and presumably the F flag triggers a 403.

Ideally you would do this with code anyways.