httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aram W. Mirzadeh" <>
Subject Re: double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux)
Date Mon, 06 Nov 1995 16:31:45 GMT

Then I would suggest someone to come up with a letter for initial 
complainer.   He wanted an answer, and I told him we would have 
one for him.


At 10:05 AM 11/6/95 -0500, you wrote:
>  RST: THERE IS A BUG. Apache is NOT compatible with NCSA httpd in this
>  respect.
>No there is not --- NCSA 1.3 handles Alias comparisons the same way as
>the current 0.8.16 code --- by straight comparison with initial substrings.
>The "ban //" hack is the one which *introduces* an incompatibility, which
>is the reason I am dead set to veto it.
>As to the site which has "suffered consequences" --- it was misconfigured.
>Even if you feel compelled to make this misconfigured site "work" ---
>as I do not --- it is possible to "fix" it without breaking pointers
>to my site which people have come to rely on --- the first patch I
>submitted accomplishes that.  (NB that "security" problems come with
>ScriptAlias *only*, so mucking around with other code would be an
>unnecessary, and hence *highly* undersirable, complication).
Aram W. Mirzadeh, MIS Manager, Qosina Corporation,
Apache httpd server team

View raw message