当前位置: 文江博客 话题详情

.htaccess - 使目录不可见

发布于 2024-12-09 00:17:06 字数 591 浏览 1 评论 0 原文

我有一个 .htaccess 文件,目前看起来像:

<Files .htaccess>
    order allow,deny
    deny from all
</Files>

Options All -Indexes
IndexIgnore *

# Respond to /include/ with 404 instead of 403
RewriteEngine On
RedirectMatch 404 ^/include(/?|/.*)$

我试图阻止每个人都知道 /include/ 存在,但是我遇到了一个问题。

尽管访问 http://www.example.com/include 会返回 404,但浏览器会添加结束斜杠(因此给出 http://www.example.com/include/ )这表明该目录是事实上存在,但被伪装了。当实际访问 404 时,不会附加结束斜杠。

有没有办法阻止这种行为?

原文

I have a .htaccess file that currently looks like:

<Files .htaccess>
    order allow,deny
    deny from all
</Files>

Options All -Indexes
IndexIgnore *

# Respond to /include/ with 404 instead of 403
RewriteEngine On
RedirectMatch 404 ^/include(/?|/.*)$

I'm trying to prevent everyone from knowing that /include/ exists, however I've come across an issue.

Although visiting http://www.example.com/include gives a 404, the browser adds an end slash (thus giving http://www.example.com/include/) which shows that the directory is in fact there, but is being disguised. When an actual 404 is visited, an end slash is not appended.

Is there a way to prevent this behavior?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

终遇你 2024-12-16 00:17:07

1.您可以使用DirectorySlash Off告诉Apache不要在目录末尾添加尾部斜杠。

2.如果您实际上没有使用重写引擎(基于您提供的代码),为什么要使用RewriteEngine OnRedirectMatchmod_rewrite 无关。

3.如果你想在这里使用mod_rewrite,那么试试这个规则——它会为/include文件夹返回404代码(有或没有尾部斜杠)以及该文件内的任何资源(例如 /include/main.php 等)。

RewriteEngine On

RewriteRule ^include(/|/.+)?$ - [R=404,L]

1. You can use DirectorySlash Off to tell Apache to not to add trailing slash at the end of directories.

2. Why use RewriteEngine On if you do not actually use rewrite engine (based on the code you have provided)? RedirectMatch has nothing to do with mod_rewrite.

3. If you want to use mod_rewrite here, then try this rule -- it will return 404 code for /include folder (with and without trailing slash) as well as ANY resource inside that file (e.g. /include/main.php etc).

RewriteEngine On

RewriteRule ^include(/|/.+)?$ - [R=404,L]
回复 原文
他夏了夏天 2024-12-16 00:17:07

通过点文件泄漏目录存在

在某些情况下,以下代码行不足以隐藏您的目录:

RewriteEngine On
RewriteRule ^include(/|/.+)?$ - [R=404,L]

这些行不会阻止像 include/.phpinclude/ 这样的请求。 htinclude/.htaccess(相反,您将收到 403 Forbidden 错误,该错误表明目录 include 存在)。相反,人们希望禁止访问所有点文件,以防止泄漏文件夹存在(.git.php(只是“.php”) - 没有文件名),.htaccess,...)。 (旁注:我猜 .htaccess 文件和主 Apache 配置文件之间可能存在一些问题,您可以在其中禁止访问“.ht”文件并允许执行“.php”文件 - 这就是为什么这样的请求会做自己的事情而不是简单地重写为 404 错误,而是返回 403 错误)。

因此,您可以通过发送以下请求来绕过上述规则(您将收到 403 Forbidden 错误):

如果目录不存在,您可以验证是否会收到 404 Not Found 错误:

可能的修复方法

您需要匹配所有点文件。因此,首先您禁止访问它们(403 错误),然后您只需将 403 错误重写为 404 错误。

Options -Indexes
RewriteEngine On
RewriteRule ^secret.*$ - [R=404,L]

RewriteRule ^404_error$ - [R=404,L]

<FilesMatch "^\\.">
    order allow,deny

    # 403 error
    deny from all

    # Rewrite 403 error to 404 error
    # Error document must be:
    # - "a string with error text" OR
    # - an absolute path which starts with "/" OR
    # - URL (you'll get a redirect)
    ErrorDocument 403 /404_error
</FilesMatch>

这些请求现已被阻止,您将收到 404 Not Found 错误:

  • /secret/treasure.php(该文件夹中的所有文件和目录)
  • /secret
  • /secret/
  • /secret?42
  • /secret/ ?23
  • /secret/.php
  • /secret/.htaccess

这是我类似问题的答案: 将 htaccess 目录的请求重写为 404 错误

Leaking directory existence through dot-files

There are some cases where following lines of code are not enough to hide your directory:

RewriteEngine On
RewriteRule ^include(/|/.+)?$ - [R=404,L]

Those lines won't block requests like include/.php, include/.ht, include/.htaccess (instead you will receive a 403 Forbidden error which will indicate that the directory include exists). Instead one would like to forbid access to all dot-files to prevent leaking folder existence (.git, .php (just ".php" - without a file name), .htaccess, ...). (Side note: I guess there might be some issues between the .htaccess file and main Apache config file where you can forbid access to ".ht" files and allow to execute ".php" files - that's why such requests are doing their own thing without beeing simply rewritten to 404 error. Instead they are returning 403 error).

So you can bypass the above rules by sending following requests (you'll receive 403 Forbidden error):

You can verify that you'll get 404 Not Found error if directory doesn't exist:

Possible Fix

You need to match all the dot-files. So first you disallow access to them (403 error) and then you just rewrite 403 error to 404 error.

Options -Indexes
RewriteEngine On
RewriteRule ^secret.*$ - [R=404,L]

RewriteRule ^404_error$ - [R=404,L]

<FilesMatch "^\\.">
    order allow,deny

    # 403 error
    deny from all

    # Rewrite 403 error to 404 error
    # Error document must be:
    # - "a string with error text" OR
    # - an absolute path which starts with "/" OR
    # - URL (you'll get a redirect)
    ErrorDocument 403 /404_error
</FilesMatch>

These requests are now blocked and you'll get an 404 Not Found error:

  • /secret/treasure.php (all files and directories in that folder)
  • /secret
  • /secret/
  • /secret?42
  • /secret/?23
  • /secret/.php
  • /secret/.htaccess

This is an answer from my similar question: Rewrite requests to directory with htaccess to 404 error

回复 原文
維他命╮ 2024-12-16 00:17:07

除了 RedirectMatch 之外,还可以使用重写规则。

Use a rewrite rule in addition to the RedirectMatch.

回复 原文
~没有更多了~

关于作者

冷弦

暂无简介

0 文章
0 评论
786 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Gabu-gabumon

文章 0 评论 0

qq_CgiN62

文章 0 评论 0

荔枝明

文章 0 评论 0

赏烟花じ飞满天

文章 0 评论 0

独守阴晴ぅ圆缺

文章 0 评论 0

¤→小豸慧

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文