httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux)
Date Fri, 03 Nov 1995 18:44:38 GMT
> 
> After looking yours over, I *think* I could live with it (probably in
> preference to mine) --- I was worried in particular about // in PATH_INFO,
> but you seem to have done that right.  However, I'm still wondering (with
> Brian, apparently) whether there really is a problem here at all... there
> isn't in, at least, the default, out-of-the-box configuration.

Even though I haven't been commenting, I have been (half) paying attention.
FWIW, here's my thoughts:

1. There isn't a bug - appropriate configuration would solve the reported
problem. Putting cgi-bin in your document tree seems unwise. I suppose that
other URLs would also be able to access it (e.g. /somedir/../cgi-bin/somescript), but I haven't
tried it. Also, presumably, SSIs could include them, even
with the new restrictions, which would present an internal security problem.

2. Double slashes don't currently mean anything to Apache, don't make any great
sense to me, and lead to unintuitive defeats of various useful mechanisms. It
would seem not unreasonable to ban them, pending a defined use of them, or to
convert them all to single slashes.

I don't understand the need for support of // in PATH_INFO, though.

Cheers,

Ben.

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant        Fax:   +44 (181) 994 6472
and Technical Director      Email: ben@algroup.co.uk
A.L. Digital Ltd,
London, England.

Mime
View raw message