httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux)
Date Tue, 07 Nov 1995 16:09:55 GMT
Given that I have already submitted a patch for all the CERT-reported
problems which deals correctly with /./, and that this patch doesn't,
I don't believe it's a good choice.

Besides which --- take it from the guy who originally designed this
thing, directory_walk is very subtle stuff, and it is extremely
difficult to forsee all potential nasty consequences of changes made
there, as we have seen.  I'm not bragging about this; while I think
the code is a great improvement over the corresponding portions of the
NCSA base code, it is still far from clear and simple.  And no, this
does not contradict my preference for simple changes where possible
--- there is just no such thing as a simple change to directory_walk,
because of the complexity of the routine as it stands.

That may not be pleasant, but it is the reality we have to deal with.
And given that reality, I *much* prefer changes elsewhere, where
possible, particularly if it's something like a routine like no2slash,
where you can easily construct a simple, complete set of test cases,
look at the input, look at the output, and see if it worked.

If we are really going to get something out the door as 1.0 anytime
this *month* (are we even trying any more?), I would much prefer not to
mess with directory_walk.  


View raw message