[Zope-dev] Re: [Zope] PCGI?
Jamie Heilman
jamie@audible.transient.net
Fri, 14 Feb 2003 14:40:51 -0800
Leonardo Rochael Almeida wrote:
> RewriteRule ^(.*)$ http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}:%{SERVER_PORT}/some/folder/VirtualHostRoot$1 [P,L]
>
> This way you don't have to worry about what hostname the user uses to
> access their site.
Ugh. The host header should be considered tainted data, and you just
slapped it into a proxy request blindly. This probably isn't a good
idea. Apache is only going to hold your hand so much here when it
comes to protecting against various attempts at coercion. Go read
src/main/http_vhost.c from the apache 1.3 source, jump down to around
line 690. Apache's sanity checking is done in the context of the
filesystem, not Zope URI space. There are things its going to let
through which could lead to undesired behavior--underscores, question
marks--use your imagination. (btw, your pattern is goofy, you don't
need the ^ or $, (.*) is greedy enough by itself)
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's
not for you." She was cheap, she was stupid and she wouldn't load
-- well, not for me, anyway." -Holly