Remove restriction preventing expressions in Redirects outside of <Location> #540
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…cts outside of <Location>
Currently, it's not possible to use expression syntax like this in (say) .htaccess files:
<If "%{HTTPS} != 'on'">
Redirect 301 https://%{HTTP_HOST}%{REQUEST_URI}
</If>
You have to instead use a much uglier RewriteCond/RewriteRule.
The reason it doesn't work is not because the code doesn't exist, but because mod_alias.c restricts expressions in redirects to "<Location> context only for now".
It's not clear why that restriction was/is needed. I asked if anyone knew the reason for it on the httpd dev mailing list in 2022, but nobody replied:
https://lists.apache.org/thread/m72z147c3rffpk7goy7n0z66l7jw16lc
My company has been running this patch on many production servers for three years with no trouble. It allows the above example to work as expected from a .htaccess file, which seems generally useful and in accordance with the "ongoing effort to only use a single variant, called ap_expr, for all configuration directives".
Author
|
I'm wondering if anyone knows of a security-related reason why this should not be implemented? @ylavic, you added the If it's not secure, I'd like to stop using the patch myself and remove this pull request. |
Member
|
Digging in the archives[1] (my memory fails at 10y ago) it seems that allowing expressions outside where the regular expression is a match rather than the redirected URL.
[1] https://lists.apache.org/thread/omk0bgf3h649tz62qblw1112kbl7p10n |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, it's not possible to use expression syntax like this in (say) .htaccess files:
You have to instead use a much uglier RewriteCond/RewriteRule.
The reason it doesn't work is not because the code doesn't exist, but because mod_alias.c restricts expressions in redirects to
<Location> context only for now.It's not clear why that restriction was/is needed. I asked if anyone knew the reason for it on the httpd dev mailing list in 2022, but nobody replied: https://lists.apache.org/thread/m72z147c3rffpk7goy7n0z66l7jw16lc
My company has been running this patch on many production servers for three years with no trouble. It allows the above example to work as expected from a .htaccess file, which seems generally useful and in accordance with the "ongoing effort to only use a single variant, called ap_expr, for all configuration directives".