Forum

Hiawatha v10.7

I wrote my toolkit based on the example.

https://www.hiawatha-webserver.org/howto/url_toolkit

UrlToolkit {
        ToolkitID = hubzilla
        Match ^/store DenyAccess
        RequestURI exists Return
        Match /(.*)\?(.*) Rewrite /index.php?q=$1&$2
        Match /(.*) Rewrite /index.php?q=$1
}

Here's the issue:

reguest /store/a/b/c returns 403 forbidden (expected)
request //store/a/b/c returns 200 and the file (should be denied)
request ///store/a/b/c returns 200 and the file (should be denied)

Basically adding extra / in front of the URI it returns the file, which should be denied.

here's a live example. (url is long)
http://rink.to/dC0

Not sure exactly what should be correct,

on both Debian GNU/Linux and FreeBSD:

# ls -l store//////web/////test.php
-rw-r--r-- 1 root root 56 Apr 15 23:50 store//////web/////test.php

So apparently the file system call to check if the file exists will return true. It's possible that the web server is operating properly.

The downside is that the ^/store won't match ^//store etc.

The fix I have come up with is to add a check for double slashes in the rewrite toolkit.

Match (//) DenyAccess

so it becomes:

UrlToolkit {
        ToolkitID = hubzilla
        Match (//) DenyAccess
        Match ^/store DenyAccess
        RequestURI exists Return
        Match /(.*)\?(.*) Rewrite /index.php?q=$1&$2
        Match /(.*) Rewrite /index.php?q=$1
}

IMHO at minimum this should be mentioned on the rewrite examples page, I do not think it's clear to expect this behavior?

Thanks.

How about this:

UrlToolkit {
        ToolkitID = hubzilla
        Match ^(/+)store DenyAccess
        RequestURI exists Return
        Match /(.*)\?(.*) Rewrite /index.php?q=$1&$2
        Match /(.*) Rewrite /index.php?q=$1
}

yes, that works. and it's better. some links have stuff like /path/to?u=https://example.com so it trips the double slash deny (//)

thank you.