htaccess regex should be improved for treatment and security

  • Resolved madmax4ever

    (@madmax4ever)


    4 years ago

    Currently, for dynamic images handling, the Rewrite conditions and rules are the following:

    RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} /wp-content/uploads(.*)$
RewriteCond %{DOCUMENT_ROOT}/wp-content/wppp/images/%1 -f
RewriteRule .* /wp-content/wppp/images/%1 [L]
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteRule ^(.*)-([0-9]+)x([0-9]+)?\.((?i)jpeg|jpg|png|gif) /wp-content/plugins/wp-performance-pack/modules/dynamic_images/serve-dynamic-images.php [QSA,L]

    Meaning:

    1. IF real path to requested file OF ANY KIND is not a file (meaning if file is not found).
    2. AND IF requested file uri ENDS with a path inside wp-content/uploads dir or any of its subdirectories
    3. AND IF file is not found in /wp-content/wppp/images either, USING the same final path used to check previous condition
    4. THEN change the request to /wp-content/wppp/images directory
    1. IF real path to requested file OF ANY KIND is not a file (meaning if file is not found).
    2. THEN requested file STARTING WITH: (anything) then a hyphen character then (1 or more number) then the ‘x’ lowercase character then MAYBE (1 or more number) then the dot character then one of the following word CASE INSENSITIVE (jpeg, jpg, png or gif) THEN change that to /wp-content/plugins/wp-performance-pack/modules/dynamic_images/serve-dynamic-images.php WITH THE PENDING REQUEST ELEMENTS

    But with such rules, you match and call /wp-content/plugins/wp-performance-pack/modules/dynamic_images/serve-dynamic-images.php, potentially encountering errors for bad calls…

    For instance:

    • wp-content/uploads/test/-1x.jpg
    • wp-content/uploads/test/fakeimg-1x.jpeg.exe
    • wp-content/uploads/test/fakeimg-1×1.png_or_not.pdf OR wp-content/uploads/test/fakeimg-1x.gif_imagine_here_any_type_of_code_attack_that_could_be_tried_against_your_code

    This way I could try: wp-content//uploads/test/fakeimg-1x.gifdie() or wp-content//uploads/test/fakeimg-1x.gifphpinfo() and get the image…
    On other tries (such as (-1x.jpg.pdf) I got the plugin error message.

    So I suggest ot secure a little more those rules like that:

    RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} /wp-content/uploads(.*)\.((?i)jpeg|jpg|png|gif)$
RewriteCond %{DOCUMENT_ROOT}/wp-content/wppp/images/%1.%2 -f
RewriteRule .* /wp-content/wppp/images/%1.%2 [L]
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteRule ^(.+)-([0-9]+x[0-9]+)\.((?i)jpeg|jpg|png|gif)$ /wp-content/plugins/wp-performance-pack/modules/dynamic_images/serve-dynamic-images.php [QSA,L]

    This way, on line 2 we check only for files with the jpeg, jpg, png or gif CASE INSENSITIVE extension. Not interfering with other plugins (such as webp ones…).
    On line 6, we now avoid :

    • files not having any character before the hyphen character,
    • files without a number after the x character
    • files with trailing characters after the extensions we are looking for

    On most test cases, I now get the system 404 page. Better as it dosn’t concern WPPP.

    Finally, I’m not aware about any [0-9]x[0-9] only generated thumbnails, so maybe regex on line 6 could be:
    ^(.+)-([0-9]{2,}x[0-9]{2,})\.((?i)jpeg|jpg|png|gif)$
    but let’s keep it as is for now, there could be specific usages (FB or other tracking pixel?).

    So, are you interested in changing that this way?

    • This topic was modified 4 years ago by madmax4ever. Reason: problem with tags
Viewing 1 replies (of 1 total)
  • Thread Starter madmax4ever

    (@madmax4ever)

    Sorry for the mistake on point 3 of the MEANING part.
    This should read:
    AND IF file is found in /wp-content/wppp/images either, USING the same final path used to check previous condition

Viewing 1 replies (of 1 total)
  • The topic ‘htaccess regex should be improved for treatment and security’ is closed to new replies.