Just setting up mod_rewrite for my new CMSMS site. "Pretty URLs" - now working OK
As an extra benefit, I wondered if we could get some security protection too? Here's a possible ruleset, amalgamated from various sources...
Code: Select all
# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:\\", "https:\\", "ftp:\\" etc
RewriteCond %{QUERY_STRING} \\\\ [OR]
#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]
#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]
#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]
#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]
#OR if the URI contains a *
RewriteCond %{QUERY_STRING} \*
#OR the URI contains SQL injection type keywords
RewriteCond %{QUERY_STRING} [^a-z](cast|char|convert|declare|delete|drop|exec|insert|meta|script|select|set|source|srs|truncate|union|update)[^a-z] [NC,OR]
#then deny the request (403)
RewriteRule ^.*$ - [F,L]
I realise that CMSMS is quite mature now, so the developers will be experienced in avoiding SQL injection problems by now. But as an extra safety net, I just wondered whether mod_rewrite could provide some protection against SQL injection, or PHP injection maybe?
One complication is the use of pretty URL's. I don't feel confident that I fully understand the processing sequence involved, but presumably a "pretty URL" will get evaluated twice.
Thanks for any thoughts, or better regular expressions!
- Martin
