From: Eric Covener <covener@apache.org>
Date: Wed, 5 Jun 2013 15:19:10 +0000 (+0000)
Subject: xforms for AllowAnyURI
X-Git-Tag: 2.0.65~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d013d982889474fb9ff7d4f79d56b970443f7e07;p=thirdparty%2Fapache%2Fhttpd.git

xforms for AllowAnyURI


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1489912 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_rewrite.html.en b/docs/manual/mod/mod_rewrite.html.en
index 13e0923fe7d..c0bf0633dca 100644
--- a/docs/manual/mod/mod_rewrite.html.en
+++ b/docs/manual/mod/mod_rewrite.html.en
@@ -1134,8 +1134,47 @@ later</td></tr>
       responds with an 500 Internal Server Error. If you really need
       more internal redirects than 10 per request, you may increase
       the default to the desired value.</dd>
+
+      <dt><code>AllowAnyURI</code></dt>
+      <dd>
+
+      <p>When <code class="directive"><a href="#rewriterule">RewriteRule</a></code>
+      is used in <code>VirtualHost</code> or server context with
+      version 2.0.65 or later of httpd, <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code>
+      will only process the rewrite rules if the request URI is a <a href="./directive-dict.html#Syntax">URL-path</a>.  This avoids
+      some security issues where particular rules could allow
+      "surprising" pattern expansions (see <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368">CVE-2011-3368</a>
+      and <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317">CVE-2011-4317</a>).
+      To lift the restriction on matching a URL-path, the
+      <code>AllowAnyURI</code> option can be enabled, and
+      <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> will apply the rule set to any
+      request URI string, regardless of whether that string matches
+      the URL-path grammar required by the HTTP specification.</p>
+
+      <div class="warning">
+      <h3>Security Warning</h3> 
+
+      <p>Enabling this option will make the server vulnerable to
+      security issues if used with rewrite rules which are not
+      carefully authored.  It is <strong>strongly recommended</strong>
+      that this option is not used.  In particular, beware of input
+      strings containing the '<code>@</code>' character which could
+      change the interpretation of the transformed URI, as per the
+      above CVE names.</p>
+      </div>
+      </dd>
+
+      <dt><code>MergeBase</code></dt>
+      <dd>
+
+      <p>With this option, the value of <code class="directive"><a href="#rewritebase">RewriteBase</a></code> is copied from where it's explicitly defined
+      into any sub-directory or sub-location that doesn't define its own
+      <code class="directive"><a href="#rewritebase">RewriteBase</a></code>.
+      This flag is available for Apache HTTP Server 2.0.65 and later.</p>
+      </dd>
       </dl>
 
+
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="RewriteRule" id="RewriteRule">RewriteRule</a> <a name="rewriterule" id="rewriterule">Directive</a></h2>