Can denying access to a folder with mod_rewrite be insecure?

Question

Can denying access to a folder with mod_rewrite be insecure?

Navigation

#1 by (2 votes)

7

I'm thinking of creating a very limited php microframework just for own use, however I came across a situation, most frameworks use a folder called public and on the usually production servers we point this folder with DocumentRoot through httpd.conf .

The structures usually looks like this:

/home/user/projeto
├── data/
├── vendor/
├── application/
└── public/
    ├── .htaccess
    └── index.php

Vhost looks like this:

<VirtualHost *:80>
    ServerName myapp.localhost.com
    DocumentRoot "/home/user/projeto/public"
    <Directory "/home/user/projeto/public">
        AllowOverride all
    </Directory>
</VirtualHost>

But as in my case it's a simple microframework for personal use I thought of using the folder structure:

/home/user/projeto
├── index.php
├── .htaccess
└── exemplo/
    ├── application/
    ├── vendor/
    └── data/

In this second example, /home/user/projeto/.htaccess looks like this:

IndexIgnore *

<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteRule "^exemplo/" "index.php" [L]

    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

Note that I used RewriteRule "^exemplo/" "index.php" [L] to prevent access to the contents of the exemplo/ folder where the project files, libraries, and classes are located, and the data/ folder that is used to write non-public data. Also if it is accessed like this: http://site/exemplo/ it will execute /home/user/projeto/index.php .

The reason for wanting to use the second way is to make it easier to port the application to other servers without having to configure DocumentRoot and restart Apache, making settings easier.

The question is:

Using RewriteRule "^exemplo/" "index.php" [L] to prevent access to the exemplo/ folder where I have the data/ , vendor/ , and application/ folders can be unsafe or could cause some other type of problem?

apache htaccess

asked by anonymous 12.12.2015 / 01:26

1 answer

Search system listing error with pagination How to maintain multiple connections to postgresql in Node.js?

score 2 · Answer 1

Normally we use the constant checking technique.

This way you showed it is very interesting because it leaves the code clean and free from the hassle of constant technique.

The portability of this will depend on how you translate this rule from mod_rewrite to other servers like Nginx and IIS . But it's not difficult.

As for side effects or security issues, there is no way for the user to have access as long as the rule is working.

Something that can lead to problems is that it uses <IfModule mod_rewrite.c> .

The utility of this is to prevent an internal error from occurring when the server does not have mod_rewrite .

On the other hand, if the server does not have mod_rewrite , the rule will not be read and no error will be triggered. This is a bit dangerous because it will occur silently leaving the folder unprotected.

One tip is, remove the conditional that checks that mod_rewrite is loaded.

However, it is easier to find a server without mod_rewrite than to find a server that offers only a public access folder.

Both cases can exist on the same server. At this point, there is not much going on except to use the constant technique.