buffer too small's reason

Sep 20, 2008 at 5:25 PM
Edited Sep 20, 2008 at 6:12 PM
I used to use rewiterule only,so I didn't meet the bug
these days I want iirf to check the if the file is exists
so I write like this:
RewriteCond  %{HTTP_URL}           /([0-9]{1,4})/?$
RewriteCond  E:\booklist\0\%1.txt     !-f
RewriteRule  ^/([0-9]+)(.*)$   /book/i.aspx?id=$1$2
RewriteRule  ^/([0-9]{1,4})/?$    /shtml/0/$1.txt


only a minute I got the msgbox show me the "buffer too small"


why?

I set the loglevel 2

then foud this ,it is not easy to do this,you have to try each of them

Sun Sep 21 00:47:52 2008 - New Url: '/100458%20and%28char%2894%29+user+char%2894%29%29%3E0'
Sun Sep 21 00:47:52 2008 - Rule 3 : 3 matches
Sun Sep 21 00:47:52 2008 - GenerateReplacementString: Substring index out of range (%20)
Sun Sep 21 00:47:52 2008 - GenerateReplacementString: Substring index out of range (%28)
Sun Sep 21 00:47:52 2008 - GenerateReplacementString: Substring index out of range (%2894)

the reason is somebody want to do sql atack to my webapp

the iirf make the string(%20)  as %1 like   reference

----------------------------------------------------------------------
sorry this is 12c's bug
and 14 seem is OK


Coordinator
Oct 1, 2008 at 9:48 PM
Just so I am clear, withtaio,

this bug occurs on version 1.2.12,
but does not occur on 1.2.14.

is that right?

If that's true, then ... I don't think I can fix it.
You need to move to v1.2.14.
(at least!)
Oct 6, 2008 at 1:52 PM
if i write a rule like this
RewriteCond  %{HTTP_URL}%1
and the    %{HTTP_URL}  is a.apx?p=1%20%30

then you treate  %{HTTP_URL}%1 as a whole one not two part

the point is the %No  in %{HTTP_URL} should not be replace
and the %1 after it  should be replace

To be or not to be ,that's a problem!
Coordinator
Oct 6, 2008 at 8:45 PM
Yes, I see.

I think you mean, the % character has multiple meanings:  In the replacement string, it is a back-reference to a matched substring.  In the URl itself, the % is a flag character for escaping characters.

In v1.2.14 R4, you can use the CondSubstringBackrefFlag directive to specify a different character for the back-reference.  I recommend using *.    In the ini file include this line:

CondSubstringBackrefFlag  *


In that case you will use %{HTTP_URL}*1 .  None of the   % characters in the URL will be replaced.

Does this help?
Oct 10, 2008 at 8:13 AM
thanks a lot
Coordinator
Oct 14, 2008 at 1:38 AM
withtao, did this work for you?  Does it help?