[CentOS] [OT] Apache oddity - appending garbage request does not result in a 404

Tue Jul 19 21:33:23 UTC 2011
Keith Roberts <keith at karsites.net>

On Tue, 19 Jul 2011, John R Pierce wrote:

> To: centos at centos.org
> From: John R Pierce <pierce at hogranch.com>
> Subject: Re: [CentOS] [OT] Apache oddity - appending garbage request does not
>     result in a 404
> 
> On 07/19/11 1:28 PM, Ray Leventhal wrote:
>> Example:http://www.domain.com/pagedoesnotexist  returns the expected 404
>>
>> But browse to a page that does exist, like goodpage.php, then append
>> either a slash and some random string, or a ?=somerandomstring and the
>> goodpage.php is still displayed.
>>
>> I'll gladly provide more info, if needed.  Any pointers on where to look
>> would be truly appreciated.
>
> your php page should examine the arguments and if there's anythign there
> unexpected, it should force the 404 via
>
>     {
>         header ('Location: '.$newReq);
>         header ('HTTP/1.0 404 Page Not Found');
>         die;  // Don't send any more output.
>     }
>
> or whatever...

If you don't need or want to pass any variables to your 
PHP scripts, you could use something like this PHP function:

function url_check()
{

  if ('' <> _SERVER["QUERY_STRING"] OR
      '#top' <> _SERVER["QUERY_STRING"])
  {
   echo "<p> Passing of variables by URL query string is not supported! </p>";
   echo "<p> Program terminating now - Please try again </p>";
   echo "<p> Found in URL -> _SERVER['QUERY_STRING'] </p>";
   exit();
  }

Kind Regards,

Keith Roberts

-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------