Forum

I have a url toolkit which contains this line:

Match ^/.*\.(js|ico|gif|jpg|jpeg|png|css|svg)(/|$) Return

However js and css files with a name like this:

/site.js?ver=3.1

are not matched.

Is it possible for url toolkit to ignore the querystring part of the uri?


Hiawatha version: 9.1
Operating System: Debian 6.0 32 bit

Try this: Match ^/.*\.(js|ico|gif|jpg|jpeg|png|css|svg)(/|$|\?) Return

That one works but imposes a security issue for me.

http://cache.mysite.com/wp-config.php?test=site.js is now downloadable.

This is my setup:

UrlToolkit {
    	ToolkitID = cache
        Match ^/.*\.(js|ico|gif|jpg|jpeg|png|css|svg)(/|$|\?) Return
	Match .* DenyAccess
}

VirtualHost {
    	Hostname = www.mysite.com
    	WebsiteRoot = /var/www/mysite.com/html
	ReverseProxy .* http://127.0.0.1:80 60 # apache backend
}

VirtualHost {
    	Hostname = cache.studioseverien.nl
    	WebsiteRoot = /var/www/mysite.com/html
	UseToolkit = cache
}

As you can see I use a virtualhost for serving the js, css and images via cache.mysite.com.
It is not allowed to serve anything other than those files.

What exactly is downloadable? What content to you see?
And is that a Hiawatha or Wordpress issue?

The browser downloads the wp-config.php as a text file. So all content is readable.

What I want to achieve is that on the cache.mysite.com only js, css and images are accessable. Not php or xml files or whatever.
Hiawatha is running as the frontend server and apache as upstream. They both share the same document root.

If I access http://mysite.com/wp-config.php?test=site.js (without cache.) I'll get a blank screen which is correct (a die(); in the wp-config.php file).

Because I don't have a php handler in hiawatha the wp-config.php (or any other php file) is served via hiawatha as plain text because the url toolkit matches the site.js (even if it is in the query string part).

I hope I make myself clear what I want.

Oh. Mye bad typo: cache.studioseverien.nl should be cache.mysite.com

But in the config file all is set the same. I replaced it to mysite.com as an example.

If you don't specify a PHP hander, Hiawatha will indeed upload the content. Solution: remove the PHP scripts or deny access to it via an UrlToolkit rule.

Yes I also thought of that.

My wish was to make a toolkit which does something like allow js, css and image extensions and deny everything else.
This works. Because when I call http://cache.mysite.com/wp-config.php (without query string) I get a 403 forbidden from hiawatha.
When I call http://cache.mysite.com/js/jquery.js this als works.

So I hoped the Match in the url toolkit would ignore the query string part for matching.