httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux)
Date Mon, 06 Nov 1995 15:05:52 GMT
  RST: THERE IS A BUG. Apache is NOT compatible with NCSA httpd in this
  respect.

No there is not --- NCSA 1.3 handles Alias comparisons the same way as
the current 0.8.16 code --- by straight comparison with initial substrings.
The "ban //" hack is the one which *introduces* an incompatibility, which
is the reason I am dead set to veto it.

As to the site which has "suffered consequences" --- it was misconfigured.
PERIOD.  FULL STOP.

Even if you feel compelled to make this misconfigured site "work" ---
as I do not --- it is possible to "fix" it without breaking pointers
to my site which people have come to rely on --- the first patch I
submitted accomplishes that.  (NB that "security" problems come with
ScriptAlias *only*, so mucking around with other code would be an
unnecessary, and hence *highly* undersirable, complication).

rst

Mime
View raw message