From: Joe Orton
Date: Wed, 5 Oct 2011 15:36:56 +0000 (+0000)
Subject: - add a security warning, and tweak the example, in light of CVE-2011-3368
X-Git-Tag: 2.3.15~173
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ffce0a307e00246db14337c4e60c0c430d4f29a6;p=apache
- add a security warning, and tweak the example, in light of CVE-2011-3368
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1179266 13f79535-47bb-0310-9956-ffa450edef68
---
diff --git a/docs/manual/rewrite/flags.xml b/docs/manual/rewrite/flags.xml
index d2e19e5351..946701de4e 100644
--- a/docs/manual/rewrite/flags.xml
+++ b/docs/manual/rewrite/flags.xml
@@ -482,7 +482,7 @@ example, if you wanted all image requests to be handled by a back-end
image server, you might do something like the following:
-RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
+RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P]
Use of the [P] flag implies [L] - that is, the request is immediately
@@ -498,6 +498,15 @@ more powerful implementation of the ProxyPass directive,
to map remote content into the namespace of the local server.
+
+Security Warning
+Take care when constructing the target URL of the rule, considering
+the security impact from allowing the client influence over the set of
+URLs to which your server will act as a proxy. Ensure that the scheme
+and hostname part of the URL is either fixed, or does not allow the
+client undue influence.
+
+
Note: mod_proxy must be enabled in order
to use this flag.