httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <>
Subject re: Apache incompatibility
Date Thu, 19 Oct 1995 17:09:25 GMT
> Apache incompatibility with NCSA httpd, and possible security hole:
> Apache server-side includes allow #include file=arbitrary-path
> whereas NCSA only allows #include file=local-file
> 'arbitrary-path' is the name of any file on the system, whereas 'local-file'
> can only be the name of a file in the same directory as the included file.
> i.e. NCSA httpd does not allow '/' in 'local-file'.

Mmm,	file="Sub/Directory/thing.html" good
	file="/etc/passwd"		bad

So '/' is allowed, but not as the first character.  Right?  also '..' is
not allowed anywhere in file.

> As web-admins are expecting the NCSA behaviour, we should either document
> this visibly, or fix it.

We should fix it, in preference to just documenting it and giving NCSA-happy
people another reason to not use Apache.

>  David.


View raw message