Hi all,
I've just remembered this mail which was poster 1 month ago :
Le lundi 23 août 2010 13:59:34, Łukasz Jagiełło a écrit :
> Hi,
>
> I'm wonder is there any solution for regex non-ascii characters in
> URLs ? For example want to block url like this:
>
> http://some.domain.com/server-info
>
> Got ACL:
>
> acl status url_reg \/server-(status|info)(.*)?
>
> ,but if someone wrote url like this:
>
> http://some.domain.com/%73%65%72%76%65%72%2D%69%6E%66%6F
>
> ACL won't get it. I could change acl like this:
>
> acl status url_reg
> \/(server|\%73\%65\%72\%76\%65\%72)(-|\%2D)(status|info|\%69\%6E\%66\%6F|\%
> 73\%74\%61\%74\%75\%73)(.*)?
>
> But still someone can wrote:
>
> http://some.domain.com/s%65%72%76%65%72%2D%69%6E%66%6F
>
> and will get server status. Is it possible to transform url to ASCII ?
If no one is working on a solution yet, I propose to develop one when I get time, as this can be a security hole for rules used to protect some urls.
Let me know ;-)
-- Cyril BontéReceived on 2010/09/26 19:32
This archive was generated by hypermail 2.2.0 : 2010/09/26 19:45 CEST