Clash of RewriteRule due to [L] flag

  • nmcgovern

    (@nmcgovern)


    3 years, 2 months ago

    Hi folks,

    Currently, Adaptive Images has the following RewriteRule:
    RewriteRule \.(?:jpe?g|gif|png)$ /wp-content/plugins/adaptive-images/adaptive-images-script.php [L]

    Unfortunately, what this means is that the request is basically sent back to mod_rewrite for further processing, now with the new path (which ends in .php). If you have further rules, these are now processed, and a number of hardening tools don’t allow processing of .php files directly, unless they’re from a known list of files under wp-admin.

    To fix this on our site, we’ve changed [L] to [END], as detailed in https://httpd.apache.org/docs/current/rewrite/flags.html#flag_l. An alternative could be using [P], but this would require mod_proxy to be installed.

    So, the issue is now what will happen when we come to upgrade Adaptive Images. The use of [L] is hard coded in adaptive-images-actions.php, line 185. Additionally, there’s no checking on upgrade if the htaccess has been modified – it simply replaces the whole config between the mark lines with the new one.

    Perhaps the flag being used could be added as a config option, or the upgrade processing could be a bit more clever about parsing the .htaccess to look for changes.

    • This topic was modified 3 years, 2 months ago by nmcgovern.
Viewing 1 replies (of 1 total)
  • Plugin Author Takis Bouyouris

    (@nevma)

    2 years, 9 months ago

    Hello, @nmcgovern,

    Sorry for my late reply, but I did not get the notification, Also, thank you very much for your feedback, it is much appreciated!

    The initial idea was that the L flag would terminate the current set of rewrite rules, but would also allow for possible further processing, for interoperability reasons, in case some other piece code needed to do something. Doing so, of course, could be quite complex, but… that was the idea.

    Could you possibly name some of the security tools you mentioned, so that I might take a look at them?

    Now, indeed this is all hardcoded in the plugin as, we never expected it would be an issue. And I cannot make any promises that making it an option is on our roadmap yet. But it is noted! 🙂

    Cheers,
    Takis

Viewing 1 replies (of 1 total)
  • The topic ‘Clash of RewriteRule due to [L] flag’ is closed to new replies.

Tags