# For general info on Rewrite rules, see:
#   https://github.com/aurelius0523/tomcat-url-rewrite
# For more specific help on how set up Tomcat config files to this functionality, see
#   https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html


# By default, Greenstone3 no longer allows document redirects such as
#   https://mygreenstone.org/greenstone3/library?el=&a=d&c=mycol&d=&rl=0&href=//malicious-site.com
# As this allows Open Redirect attacks
#
# We are working on an upgrade to GS3 that will allowing redirects that match a fixed list of URLs (regex)
# However, this is not yet in the code base, an so we are disabling by default for now

# Each rewrite condition line is by default connected to the next one with an AND operation,
# see https://serverfault.com/questions/293160/apache-rewrite-multiple-conditions
# The following ensures that links (href anywhere in query string) that are *not* relative
# (so rl=0 anywhere in query string) now return F(orbidden) for security reasons. This change
# ensures that relative links (rl=1) work again. 

RewriteCond %{QUERY_STRING} (^href=.*$)|(^.*&href=.*$)
RewriteCond %{QUERY_STRING} (^rl=0.*$)|(^.*&rl=0.*$)
RewriteRule   ^(.*)$   $1   [F]