Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
litespeed:wiki:feature:internal_redirect [2014/05/22 20:28] George Wang [Internal Redirect via LiteSpeed] |
litespeed:wiki:feature:internal_redirect [2014/05/22 20:29] George Wang [Internal Redirect via LiteSpeed] |
||
---|---|---|---|
Line 51: | Line 51: | ||
=== Security Consideration === | === Security Consideration === | ||
- | Unlike X-Sendfile or X-Accel-Redirect implementation in other web servers, LiteSpeed uses a URL instead of file path for security reasons. In this way, only file under document root of a virtual host or a Context can be returned, otherwise, it could be a huge security issue if for some reason, either tricked or intentionally, the script sent back a header "X-Sendfile: /../etc/./password%00" or something like that, user accounts on your server is no longer a secret. 8-) | + | Unlike X-Sendfile or X-Accel-Redirect implementation in other web servers, LiteSpeed uses a URL instead of file path for security reasons. In this way, only file under document root of a virtual host or a Context can be returned, otherwise, it could be a huge security issue if for some reason, either tricked or intentionally, the script sent back a header "X-Sendfile: /../etc/./passwd%00" or something like that, user accounts on your server is no longer a secret. 8-) |
=== Protecting file from direct access === | === Protecting file from direct access === |