URL Migration Tool

I am migrating from Drupal to WordPress, but don’t want to copy everything over. Some articles, I want in WordPress, but others can be left on the old site, or even on an old static archive.

This tool helps create the rewriter rules, and inserts them into the .htaccess file.

I start off by copying the article from the old CMS to the new one. Then I copy the URLs into the form fields on this script. Clicking “preview” loads up the page previews. If they appear to be the same article, we’re good. Press “verify” and the script will try to rewrite the.htaccess file.

The script works by searching for the string “# BEGIN PAGE REDIRECTS\n”. So add a line like that to your .htaccess, within the mod_rewrite block. Don’t indent it, because that causes the match to fail.

chown the file to www-data:www-data so you can write the file. Then create a directory names “htaccess-backups”.

Also, name this file something like nufwenjfkewbefiwfhefdsfmsetsetse.php, so it can never be guessed. This code is a huge security hole.

<?php
function e($t) {
	echo $t;
}
$original = $_POST['original'];
$new = $_POST['new'];
$action = $_POST['action'];

?><html>
<head>
<style>
iframe {
	width: 40%;
	height: 80%;
}
</style>
</head>
<body>
<h1>Migration Tool</h1>

<form method=post>
Original URL:
<input name=original size=50 value="<?php e($original); ?>">
New URL:
<input name=new size=50 value="<?php e($new); ?>">
<input name="action" type=submit value="preview" />
<?php if ($new && $original) { ?>
	<input name="action" type=submit value="verify" />
<?php } ?>
</form>
<?php
	if ($action == 'verify') {
		$start = "# BEGIN PAGE REDIRECTS\n";
		$end = '# END PAGE REDIRECTS';
		$date = date('mdHis');
		copy('.htaccess', 'htaccess-backups/hta-'.$date);
		$file = file_get_contents('.htaccess');
		$match = str_replace('http://riceball.com/d/', '', $original);
		$location = str_replace('http://riceball.com', '', $new);
		$line = 'RewriteRule ^'.$match.'$ '.$location." [L,R=301]\n";
		$newfile = str_replace($start, $start.$line, $file);
		file_put_contents('.htaccess', $newfile);
		echo "<p>";
		echo "Wrote $line";
		echo "<p>";
		echo "Test <a href='$original' target='_blank'>$original</a>";
	} else {
		if ($original) {
			echo "<iframe src='".$original."'></iframe>";
		}
		if ($new) {
			echo "<iframe src='".$new."'></iframe>";
		}
	}


?>
</body>
</html>

A way to hack this script

I think you could post a form where original=/.* and new=some-arbitrary-url and force all the pages to redirect to your arbitrary url, stealing all the links to your site.

The cheap technique I use to combat this is naming the file with a long random string. As long as the attackers can’t get an index of the directory, you’re pretty safe. If you need more security, then put the script into a password-protected subdirectory.

This type of program, which modifies code, is always risky. It’s especially risky because it modifies code that’s executed by Apache, which is hosting the PHP environment, so it potentially affects more than your PHP code. It’s a kind of privilege escalation.

Leave a Reply