httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject Re: no2slash - apache 0.8.2
Date Tue, 25 Jul 1995 15:46:00 GMT
Andrew wrote:
>If PATH_INFO's *only* meant to contain recognisable UNIX path/file
>structures then my example should have been bounced, not mauled but then
>allowed to proceed. 

But your example did conform to the UNIX path/file syntax, so there's no
reason for it to be bounced.

For an example of the pitfalls of using PATH_INFO for random data; consider
trying to send the string "/../" as part of the PATH_INFO.

e.g.
  http://server.com/cgi-bin/test-cgi/REF='/../astr'

Almost every server (and many browsers) will give you
PATH_INFO = /adir'
and I don't think this is particularly bad behaviour.

Even URL-encoding the .. doesn't help;
http://server.com/cgi-bin/test-cgi/REF='/%2e%2e/astr'
gives the same result. This may be a bug though. (Roy?)

 David.

Mime
View raw message