httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject Apache incompatibility
Date Thu, 19 Oct 1995 12:19:00 GMT
Apache incompatibility with NCSA httpd, and possible security hole:

Apache server-side includes allow #include file=arbitrary-path
whereas NCSA only allows #include file=local-file

'arbitrary-path' is the name of any file on the system, whereas 'local-file'
can only be the name of a file in the same directory as the included file.
i.e. NCSA httpd does not allow '/' in 'local-file'.

As web-admins are expecting the NCSA behaviour, we should either document
this visibly, or fix it.

 David.


Mime
View raw message