Are your mod_rewrite rules doing what you expect?

[Jeff Workman <jworkman () pimpworks org>]

My apologies if this has been discussed in the past.

A lot of sites do not wish for their images, or other content, to be linked 
to from outside of thier site.  If they use Apache and the mod_rewrite 
module, they usually have a directive, or several directives, in their 
httpd.conf like:

RewriteCond %{HTTP_REFERER} !^http://www\.yoursite\.com.*$
RewriteRule ^/images/.* - [G]

I have found that it is possible to circumvent the above rule by 
constructing your link like:

http://www.yoursite.com//images/image.jpg

The web browser will then make an HTTP request like "GET 
//images/image.jpg" HTTP/1.0",  which does not match this rewrite rule, but 
is still valid.

This does not appear to be a bug with mod_rewrite or even Apache proper, 
but it looks like it's inherited from either the filesystem driver, or 
perhaps your operating system's libc, which, at least on UNIX systems that 
I am familiar with, handles multiple occurences of "/" in a pathname as 
though it were a single "/".

This can be fixed by modifying your ReWriteRule directives to reflect this 
behavior:

RewriteCond %{HTTP_REFERER} !^http://www\.yoursite\.com$
RewriteRule ^/*images/.* - [G]

Which will match multiple occurences of "/" in the path of the HTTP request.

Jeff
www.pimpworks.org

--
"...and the burnt fool's bandaged finger goes wobbling back to the
fire." -Joe Zeff in the SDM.