httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aram W. Mirzadeh" <...@qosina.com>
Subject Re: double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux)
Date Fri, 03 Nov 1995 15:51:47 GMT
At 09:37 AM 11/3/95 GMT, you wrote:
>
>Hmm, I'm not sure this is the best solution; can we guarantee that
>this won't crop up in other modules?

No.

>
>The problem is the original completely bogus no2slash(); there is no
>reason why http://host/dira//dirb/file should be the same as
>http://host/dira/dirb/file.'
>
>We already don't remove double slashes for CGI script PATH_INFO; I suggest
>that we don't remove double slashes anywhere.

Huh?  I don't get it... we don't know what else could be broken, so let's
not fix anything at all?  That doesn't make any sense... we should fix
what needs to be fixed, unless by fixing a hole lot of other things are 
going to die.  

>
>So:
>1. Remove no2slash()
>2. In directory walk (or wherever we match the URL to a file) _reject_
>   a filename with a void path segment.
>
> David.
>
>
--
Aram W. Mirzadeh, MIS Manager, Qosina Corporation
http://www.qosina.com/~awm/, awm@qosina.com
Apache httpd server team http://www.apache.org



Mime
View raw message