[geeklog-devel] Blocking those inclusion attempts

Dirk Haun dirk at haun-online.de
Sat Dec 15 12:17:31 EST 2007


Ramnath R Iyer wrote:

>I think you would want something like:
>
>^.+http:
>
>Starts with one or more characters, and is followed by http:

Looks good, thanks. You only need to use QUERY_STRING then, since
THE_REQUEST contains the entire request, including the GET. So:

  RewriteEngine On
  RewriteCond %{QUERY_STRING} ^.+http:
  RewriteRule .* - [L,F]

That seems to work as expected and shouldn't block requests with
complete URIs any more (I've removed those .htaccess rules).

It's up on geeklog.net now. Let me know if anyone is running into
problems with unexpected "Access denied" messages.

bye, Dirk


-- 
http://www.haun-online.de/
http://geeklog.info/




More information about the geeklog-devel mailing list