Re: [mod-security-users] mod_security enhancement idea
Brought to you by:
victorhora,
zimmerletw
From: Terry D. <tdo...@na...> - 2006-04-12 13:23:38
|
Tom Anderson wrote: > Terry Dooher wrote: > >> Let's assume that the sample rule: >> >> SecFilterSelective REQUEST_URI "^/mls_verifyemail0.php" allow >> >> [1] Am I right in believing that REQUEST_URI is just the requested >> file with POST, but includes the query string with GET requests? (I'm >> working from a 1.87 manual) > > > In the example above, it would allow query string arguments. If you add > a trailing "$" after ".php", then only the file with no arguments would > be allowed in a GET. This much I understand, but I'm looking for some clarification on whether or not REQUEST_URI contains the query string in POST requests. I would assume not, but my confusion arises from the use of the term URI in this context. Going strictly by the RFC, I'd expect <scheme>://<authority><path>?query, but we're inside a VirtualHost directive, so it makes sense not to have the scheme and domain parts available, matching only from the beginning of the path. Does this also mean the query string from POST requests is tacked on to the end? (This seems unlikely to me, but I just want to be sure.) Terry. > Tom > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |