.htaccess --> Removing multiple "/"s in a URL using mod_rewrite [Archive]

View Full Version : .htaccess --> Removing multiple "/"s in a URL using mod_rewrite

broncozr

September 15th, 2008, 05:28 PM

A little help please? Can anybody tell me how to remove multiple "/"s in a URL? I've been able to remove them from a Query String, but I'm having trouble with something like this:

http://mydomain.com//index.php//?something=x

I think Apache reads them as single-slashes, but I see people trying to access my site using "//"s. When I type them into my URL (like above), it seems to slow down the loading of the site. I'm not sure what effect they have.

Using URL injection (with CRLFs), hackers have been able to use my site to implement faux/phishing PayPal sites. I thought I had shut them down using mod_rewrite, but then they starting using %0a to continue/perpetuate(?) the processing of the URL. Since that info is in the query string, I think I have that under control now, but I can't seem to get rid of "//"s as in the example above.

Thanks for any help!

simplistik

September 16th, 2008, 09:51 AM

what code are you trying to use now? to escape slashes you might need to do

//
which equals /

so for double slashes you'd do

////
which equals //

then again, i think this may only work w/ forward slashes so they might not need escaping, try it out and see.

broncozr

September 16th, 2008, 12:16 PM

I have settled (for now) on this:

RewriteCond %{THE_REQUEST} chdir|upload|include_path|file|http://|ftp (http://%7Cftp) [NC,OR]
RewriteCond %{THE_REQUEST} paypal|config|include|txt [NC,OR]
RewriteCond %{THE_REQUEST} //+|%0a|%0d [NC]
RewriteRule (.*) http://mydomain.com/404.php?error_here=true This guy ( Link (http://www.askapache.com/htaccess/crazy-advanced-mod_rewrite-tutorial.html) ) wrote a really nice tutorial that uses a tool that he wrote to capture all of the mod_rewrite variables and print them out. From that, I could tell what might be getting through my mod_rewrite code.....

If I type this in my URL,

httpexample://mydomain.com/text_subdir/test.php?x=y//somethingouthere//?index.phpsome=x//
then different Apache variables will provide different info.

THE_REQUEST -->
GET /text_subdir/test.php?x=y//somethingouthere//?index.phpsome=x// HTTP/1.1

QUERY_STRING -->
x=y//somethingouthere//?index.phpsome=x//

I'm looking for the most efficient way to capture, inspect, and sanitize all of the URL using mod_rewrite.

Unfortunately, my web host apparent has these potentially useful ones turned off:
SCRIPT_URI, ORIG_SCRIPT_NAME, ORIG_SCRIPT_FILENAME, ORIG_PATH_INFO

Additionally, I'm redirecting using an external direct (which I've read is inefficient), but it's the only way that I've found that will print out all of the activity in my raw access log. If there is a cleaner way to do that, then that would be great!

Actually, something just occurred to me as I was typing all that out......can someone use a form on their site to submit a POST to my site, and, if so, would that show up in the variables above? If not, then how would I combat that?

Thanks for any suggestions!