On Fri, Jun 26, 2015 at 1:36 PM, Kurtis Rader <kra...@skepticism.us> wrote:
> My question for James would be how do you know the query string has the > parameters in that exact order? Unless the query string has been > hand-crafted you cannot assume the parameters will appear in any specific > order. Also, your pattern doesn't handle the case where the parameters are > separated by semicolons (which is a legal alternative to ampersand). In > general matching against QUERY_STRING is very difficult to do in a robust > manner. > P.S., Here is an example from my config of how to robustly check for the presence of a specific query string parameter. In this case I'm looking for a reference to the WordPress "Revolution Slider" plugin which has had numerous security flaws and I will never install on my site as a consequence. # Malware loves to probe for revslider plugin vulnerabilities. Since we don't # use it (and never will given its history of vulnerabilities) blacklist # references to it. This is related to the blacklisted-path rules above. RewriteCond %{REQUEST_URI} ^/wp-content/plugins/revslider/ [NC,OR] RewriteCond %{QUERY_STRING} (?:^|&|;)action=revslider_ajax_action(?:&|;|$) [NC,OR] RewriteCond %{QUERY_STRING} (?:^|&|;)action=revslider_show_image(?:&|;|$) [NC] RewriteRule ^ /blocked.php [END,E=error-notes:probe-for-revslider-plugin] -- Kurtis Rader Caretaker of the exceptional canines Junior and Hank