Commit 20f8634c authored by Eric Covener's avatar Eric Covener
Browse files

xforms for AllowAnyURI 


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1489912 13f79535-47bb-0310-9956-ffa450edef68
parent c54bce8c

docs/manual/mod/mod_rewrite.html.en

+39 −0
Original line number Diff line number Diff line
@@ -1134,8 +1134,47 @@ later</td></tr> 
      responds with an 500 Internal Server Error. If you really need

      more internal redirects than 10 per request, you may increase

      the default to the desired value.</dd>



      <dt><code>AllowAnyURI</code></dt>

      <dd>



      <p>When <code class="directive"><a href="#rewriterule">RewriteRule</a></code>

      is used in <code>VirtualHost</code> or server context with

      version 2.0.65 or later of httpd, <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code>

      will only process the rewrite rules if the request URI is a <a href="./directive-dict.html#Syntax">URL-path</a>.  This avoids

      some security issues where particular rules could allow

      "surprising" pattern expansions (see <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368">CVE-2011-3368</a>

      and <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317">CVE-2011-4317</a>).

      To lift the restriction on matching a URL-path, the

      <code>AllowAnyURI</code> option can be enabled, and

      <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> will apply the rule set to any

      request URI string, regardless of whether that string matches

      the URL-path grammar required by the HTTP specification.</p>



      <div class="warning">

      <h3>Security Warning</h3> 



      <p>Enabling this option will make the server vulnerable to

      security issues if used with rewrite rules which are not

      carefully authored.  It is <strong>strongly recommended</strong>

      that this option is not used.  In particular, beware of input

      strings containing the '<code>@</code>' character which could

      change the interpretation of the transformed URI, as per the

      above CVE names.</p>

      </div>

      </dd>



      <dt><code>MergeBase</code></dt>

      <dd>



      <p>With this option, the value of <code class="directive"><a href="#rewritebase">RewriteBase</a></code> is copied from where it's explicitly defined

      into any sub-directory or sub-location that doesn't define its own

      <code class="directive"><a href="#rewritebase">RewriteBase</a></code>.

      This flag is available for Apache HTTP Server 2.0.65 and later.</p>

      </dd>

      </dl>





</div>

<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>

<div class="directive-section"><h2><a name="RewriteRule" id="RewriteRule">RewriteRule</a> <a name="rewriterule" id="rewriterule">Directive</a></h2>