Beware of the MultiView

I’ve been seeing some very confusing behaviour involving mod_rewrite and PHP.

I have this rewrite rule in a .htaccess file (it just allows me to see what the incoming URL looked like for test purposes):

RewriteRule (*.) x.php?x=$1 [R,L]

If I feed it a URL like:

http://www.example.com/thing/123

it matches the whole thing/123 part and maps it to my desired URL:

http://www.example.com/x.php?x=thing/123

That’s all fine. Now the weird bit. If I happen to have a script with the same base name as the matching path part, like “thing.php”, it gets magically picked up and inserted into the URL, so I end up with:

http://www.example.com/x.php?x=thing.php/123

Huh?! How did the ‘.php’ get in there?

Now because this rule is in a .htaccess file, it’s handled last in the chain of things that apache might do (and there are no other rewrite rules), it must be something further upstream that’s mapping ‘thing’ to ‘thing.php’. My first idea was that it might be looking inside thing.php (using mime_magic) and mapping its type, and file extension, according to the AddType directive that PHP is enabled by. However, turning off mime magic doesn’t stop it happening, so it’s not that.

It DOES stop doing it if I disable PHP – but why should PHP be involved in this at all? The final URL will eventually hit PHP, but because in this case I’m using [R] (which forces an external redirect) in the rewrite rule, PHP won’t see that until the request returns from the browser.

Is there some automatic aliasing thing that suggests that files without extensions might be some other kind of file? Well, that sounds like a fair description of the kind of thing that Apache’s MultiViews do. Surprise surprise – I turn MultiViews off and it all starts acting normally. As yet I’ve not figured out how to stop it a little more selectively (as MultiViews are a nice feature otherwise), but I can live without them for now.

Leave a Reply