1

Let's say we have a password.txt in a webdirectory that must not be leaked. Is it secure to use a RewriteRule like this?

RewriteRule "^password.txt?*" "404.html"

I tried to do something fishy like domain.com/somefile/../password.txt, or using "password%2Etxt", and it still redirected to 404. Is there anything else I have to worry about? If it's hackable, what's the hack? My understanding of the URL specification is that this is not possible. But, I'm handwaving a bit.

Will the input to a rewriterule always be something guaranteed by the URL specification, or will they relax the requirements a bit the way css can be relaxed. If not, is the URL specification itself safe against this redirection?

I can use .htaccess to simply ban the file, but then RewriteRule "sldmfklwmefwk.txt" "password.txt" doesn't work either. I want "sldmfklwmefwk.txt" to be allowed, but "password.txt" is banned, and any other attempts to access "password.txt" being blocked without accessing it via "sldmfklwmefwk.txt".

Nicholas Pipitone
  • 120
  • 7
  • If you are considering security through obscurity i.e. you are assuming no one will know sldmfklwmefwk.txt, why not just rename the password.txt to sldmfklwmefwk.txt? But this is always a bad idea because this apparently hidden knowledge can be leaked easily through a simple mistake. If you don't want anyone to access the file, simply move the file outside the webroot. If you need access to the file, you can use VPN or IP address whiltelisting. – void_in Feb 26 '19 at 13:51
  • @void_in My question was simply on this theoretical model. In my practical situation, it is not security through obscurity. In my actual case, I did RewriteRule to turn REST API requests into parameterized accesses to a php file, and did another RewriteRule to hide the php file. Now, I have it cleansing input anyway, but if my RewriteRule is using regex, I shouldn't have to cleanse it right? The answer would be notable because (a) I'd like to know since I'll learn something that I can apply elsewhere in terms of URL parsing, and (b) If it's hackable that would be a cool CTF problem. – Nicholas Pipitone Feb 26 '19 at 15:01

2 Answers2

1

Please try to avoid RewriteRule. It is a best practice to implement security rule from the top. In this context it is httpd.conf. I am assuming that password.txtlocated in the apache root directory.

<DirectoryMatch ./password.txt>
   Deny from all
</DirectoryMatch>

If any users access that file then s/he will get HTTP 403 - Forbidden error
You can also redirect the user to another page like 404.html. Use below to redirect user.

AliasMatch ./password.txt /404.html

Moreover, if password.txt file is not being used by HTTPD process then revoke permission HTTPD process owner's all permission from the file.

again
  • 974
  • 8
  • 23
  • Note my comment at the end though. Will I still be able to use RewriteRule to provide limited access to the file? I believe I tried this before and it still blocked rewrites going to password.txt – Nicholas Pipitone Feb 26 '19 at 12:07
1

I've read the whole question but it boils down to a single sentence.

Just don't save it in the public folder.
instead of that put it in the private_folder or write it to an off line host.