dongyashun2559 2012-12-01 15:33
浏览 69
已采纳

URL中使用反斜杠有什么用?

I have a front controller in my PHP project. Here is the code;

.htaccess file

<IfModule mod_rewrite.c>
RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule .* index.php [PT,L]
</IfModule>

index.php file

<?php
list($url) = explode('?', $_SERVER['REQUEST_URI']);
$url = trim(trim($url), '/');

if(!file_exists('pages/'.$url.'.php')
    header('Location: 404.html');

require_once 'inc/head.php';
require_once 'pages/'.$url.'.php';
require_once 'inc/foot.php';
?>

I assumed every requested URL must go through index.php file. But if there is a \ (as %5C) in URL server answer is "Not Found".

Questions;

  • Why there is an exception for \ character? Is there any characters like that?
  • What is the reqular use of \ character to make Apache search for a file? Why not just ignore?
  • Where Apache looks and not founds the file?

Note: My system is Windows with Apache 2.2.21 and PHP 5.3.10. Note2: This is just an example code, so do not offer a better way.

  • 写回答

1条回答 默认 最新

  • douyu9159 2012-12-01 16:04
    关注

    Comment above said it already:

    On Windows \ is the path separator So requesting 'http://localhost/\' on a windows system will be caught by the RewriteCond %{REQUEST_FILENAME} -d, simply your document root, which is a directory.

    You have inverted the condition, d (!-d) so apache does not execute the rewrite rule but looks for the default index file, which does not exist, you get a 404

    Remove the condition "not a existing directory" or add the index.php to the list of defaults

    EDIT:

    The story I wrote had such a plausible character that I believed it by myself :) Indeed, this is not even Windows but Apache specific.

    Because of a security leak in CGI Apache introduced this as a fix many years ago. Instead of processing the request, it immediately returns a 404 Not Found, when you pass either %5C (backslash) or %2F (slash) in the request URL.

    I was able to reproduce this on a Apache 2.2.14.

    If you do not use CGI ( e.g. Perl website ) you can safely disable this "security fix":

    AllowEncodedSlashes On

    This was introduced in Apache 2.0.46, see documentation, setting this variable didn't work in my .htaccess, I had to put it into the vhost config and restart the apache server.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何让企业微信机器人实现消息汇总整合
  • ¥50 关于#ui#的问题:做yolov8的ui界面出现的问题
  • ¥15 如何用Python爬取各高校教师公开的教育和工作经历
  • ¥15 TLE9879QXA40 电机驱动
  • ¥20 对于工程问题的非线性数学模型进行线性化
  • ¥15 Mirare PLUS 进行密钥认证?(详解)
  • ¥15 物体双站RCS和其组成阵列后的双站RCS关系验证
  • ¥20 想用ollama做一个自己的AI数据库
  • ¥15 关于qualoth编辑及缝合服装领子的问题解决方案探寻
  • ¥15 请问怎么才能复现这样的图呀