httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux)
Date Sat, 04 Nov 1995 01:21:33 GMT
  I don't think any code changes are warranted at this time.  Let's not 
  beat ourselves up over this issue.

So --- Brian doesn't think there's a bug, neither does Ben (item 1 of
his note on the subject was "there isn't a bug"), and I believe I now
agree as well.  In the absence of a bug, I think I agree with Brian
that the question of fixes for it is moot, particularly when the
non-fixes to the non-problem have a very real potential to introduce
difficulties worse than the one they purport to solve.

(BTW, in the few hours I had it running, the "ban //" hack did bounce
a nontrivial number of people with URLs that used to work --- more
than ten distinct sites, one being an AOL proxy).

Let's just document that having cgi-bin directories under DocumentRoot
is a Really Bad Idea, and let that be the end of it.


View raw message