mod_rewrite的NE标志 - 当它是有帮助的恩在URL code特殊字符？ [英] mod_rewrite NE flag - When is it helpful to encode special chars in the URL?

问题描述

我一直在看 [东北] （noescape）标志的mod_rewrite。经过一番思考，我不能找出一种情况，当我的不是的要使用的标志。意思是，它似乎是最有帮助的，以保持在几乎每一个重写规则已启用的标志。不调用此标志已经引起了我的问题，在少数情况下。

I've been looking at the [NE] (noescape) flag in mod_rewrite. After some thought I couldn't figure out a situation when I would NOT want to use the flag. Meaning, it seems most helpful to keep the flag enabled in almost every RewriteRule. Not invoking this flag has caused me problems in a few circumstances.

大部分我处理规则是HTTP重定向（ [R] ），而不是通过。

Most of the rules that I deal with are HTTP redirects ([R]), rather than passing through.

会有人提供一些线索，以当它是有帮助的mod_rewrite的EN code中的网址是什么？

Would someone shed some light as to when it is helpful to have mod_rewrite encode the URL?

时它总体上是好的做法，以使该标志，或者使用允许mod_rewrite的转义这些特殊字符的默认行为？为什么呢？

Is it generally good practice to enable this flag, or use the default behavior of allowing mod_rewrite escape these special characters? Why?

推荐答案

如果你看一下<一href="http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?revision=1452128&view=markup#l4553"相对=nofollow>来源$ C ​​$ C mod_rewrite的，你会发现，它设置了一个代理nocanon 标志，如果 noescape 已启用。

If you look at the source code for mod_rewrite, you'll notice that it sets a proxy-nocanon flag if noescape is enabled.

在<一个href="http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?revision=670061&view=markup#l4463"相对=nofollow>其中，该行首次加的修改，它也包括此评论：

In the revision where that line was first added, it also included this comment:

确保mod_proxy_http不规范化的URI和preserve在文件名mod_proxy_http任何（可能qsappend'd）查询字符串：proxy_http_canon（）

make sure that mod_proxy_http doesn't canonicalize the URI, and preserve any (possibly qsappend'd) query string in the filename for mod_proxy_http:proxy_http_canon()

这是继，如果你读href="http://httpd.apache.org/docs/2.2/mod/mod_proxy.html" rel="nofollow"> mod_proxy的文档的 nocanon ：

Following on from that, if you read the mod_proxy documentation, you'll see the following mention of nocanon:

通常情况下，mod_proxy的将canonicalise ProxyPassed网址。但是，这可能与某些后端，尤其是那些利用PATH_INFO不兼容。可选nocanon关键字SUP presses于此，并且将URL路径原始到后端。请注意，可能会影响你的后端的安全性，因为它消除对由代理提供的基于URL的攻击，正常有限的保护。

Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional nocanon keyword suppresses this, and passes the URL path "raw" to the backend. Note that may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy.

我可能是错误的，但是这意味着我在mod_proxy的使用 nocanon 的（通过扩展 noescape 中的mod_rewrite）具有潜在的安全后果。这可以解释为什么它默认是关闭的，甚至认为它看起来像这将是有它在大多数情况下，使更为有用。

I'm may be mistaken, but that implies to me that the use of nocanon in mod_proxy (and by extension noescape in mod_rewrite) has potential security ramifications. That would explain why it is disabled by default, even thought it seems like it would be more useful to have it enabled in most cases.

这篇关于mod_rewrite的NE标志 - 当它是有帮助的恩在URL code特殊字符？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！