xforms for AllowAnyURI

author Eric Covener <covener@apache.org>

Wed, 5 Jun 2013 15:19:10 +0000 (15:19 +0000)

committer Eric Covener <covener@apache.org>

Wed, 5 Jun 2013 15:19:10 +0000 (15:19 +0000)
author Eric Covener <covener@apache.org>
Wed, 5 Jun 2013 15:19:10 +0000 (15:19 +0000)
committer Eric Covener <covener@apache.org>
Wed, 5 Jun 2013 15:19:10 +0000 (15:19 +0000)
diff --git a/docs/manual/mod/mod_rewrite.html.en b/docs/manual/mod/mod_rewrite.html.en

index 13e0923fe7d47cec2b77863daa61c43b0ad0e665..c0bf0633dca459837495197b9157c3ce28dc7d7f 100644 (file)
--- a/docs/manual/mod/mod_rewrite.html.en
+++ b/docs/manual/mod/mod_rewrite.html.en
@@ -1134,8 +1134,47 @@ later</td></tr>
        responds with an 500 Internal Server Error. If you really need
        more internal redirects than 10 per request, you may increase
        the default to the desired value.</dd>
+
+      <dt><code>AllowAnyURI</code></dt>
+      <dd>
+
+      <p>When <code class="directive"><a href="#rewriterule">RewriteRule</a></code>
+      is used in <code>VirtualHost</code> or server context with
+      version 2.0.65 or later of httpd, <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code>
+      will only process the rewrite rules if the request URI is a <a href="./directive-dict.html#Syntax">URL-path</a>.  This avoids
+      some security issues where particular rules could allow
+      "surprising" pattern expansions (see <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368">CVE-2011-3368</a>
+      and <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317">CVE-2011-4317</a>).
+      To lift the restriction on matching a URL-path, the
+      <code>AllowAnyURI</code> option can be enabled, and
+      <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> will apply the rule set to any
+      request URI string, regardless of whether that string matches
+      the URL-path grammar required by the HTTP specification.</p>
+
+      <div class="warning">
+      <h3>Security Warning</h3> 
+
+      <p>Enabling this option will make the server vulnerable to
+      security issues if used with rewrite rules which are not
+      carefully authored.  It is <strong>strongly recommended</strong>
+      that this option is not used.  In particular, beware of input
+      strings containing the '<code>@</code>' character which could
+      change the interpretation of the transformed URI, as per the
+      above CVE names.</p>
+      </div>
+      </dd>
+
+      <dt><code>MergeBase</code></dt>
+      <dd>
+
+      <p>With this option, the value of <code class="directive"><a href="#rewritebase">RewriteBase</a></code> is copied from where it's explicitly defined
+      into any sub-directory or sub-location that doesn't define its own
+      <code class="directive"><a href="#rewritebase">RewriteBase</a></code>.
+      This flag is available for Apache HTTP Server 2.0.65 and later.</p>
+      </dd>
        </dl>
  
+
  </div>
  <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
  <div class="directive-section"><h2><a name="RewriteRule" id="RewriteRule">RewriteRule</a> <a name="rewriterule" id="rewriterule">Directive</a></h2>
author	Eric Covener <covener@apache.org>
	Wed, 5 Jun 2013 15:19:10 +0000 (15:19 +0000)
committer	Eric Covener <covener@apache.org>
	Wed, 5 Jun 2013 15:19:10 +0000 (15:19 +0000)