And of course I feel terrible about snapping because I am not a jerk, but I don't like coming across Google results like this one Title "BulletProof Security Security hole discovered". Grr. It bugs me a little bit even though I know that most people will actually click on the link and read the info to see what is up. Any way now that the steam has stopped rising off my brain. This is basically how htaccess Rulesets are processed. This is verbatim from the Apache site.
Now when mod_rewrite is triggered in these two API phases, it reads the configured rulesets from its configuration structure (which itself was either created on startup for per-server context or during the directory walk of the Apache kernel for per-directory context). Then the URL rewriting engine is started with the contained ruleset (one or more rules together with their conditions). The operation of the URL rewriting engine itself is exactly the same for both configuration contexts. Only the final result processing is different.
The order of rules in the ruleset is important because the rewriting engine processes them in a special (and not very obvious) order. The rule is this: The rewriting engine loops through the ruleset rule by rule (RewriteRule directives) and when a particular rule matches it optionally loops through existing corresponding conditions (RewriteCond directives). For historical reasons the conditions are given first, and so the control flow is a little bit long-winded. See Figure 1 for more details.
As you can see, first the URL is matched against the Pattern of each rule. When it fails mod_rewrite immediately stops processing this rule and continues with the next rule. If the Pattern matches, mod_rewrite looks for corresponding rule conditions. If none are present, it just substitutes the URL with a new value which is constructed from the string Substitution and goes on with its rule-looping. But if conditions exist, it starts an inner loop for processing them in the order that they are listed. For conditions the logic is different: we don't match a pattern against the current URL. Instead we first create a string TestString by expanding variables, back-references, map lookups, etc. and then we try to match CondPattern against it. If the pattern doesn't match, the complete set of conditions and the corresponding rule fails. If the pattern matches, then the next condition is processed until no more conditions are available. If all conditions match, processing is continued with the substitution of the URL with Substitution.
Any way I apologize for snapping at you, but in the future please consider the impact of your statements before posting such a potentially damaging statement.
And dude this is a free plugin. Yeah i think I've made $300 in donations, but I've put in well over 1,000 hours of my time. I charge around $40 an hour for website design and other things so even a low estimate on the hours i have put in is $40,000 worth of my time. So it looks like my total take on the BPS project is minus $39,700. Not a very profitable endeavor. LOL Luckily i have some sweet clients that take care of me because I put them on top, but otherwise i would not be able to afford to donate my time like this and take on such a time consuming and expensive hobby. Thanks.