httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux)
Date Fri, 03 Nov 1995 09:37:00 GMT

>The bug here seems to be that the Alias command and its (effective) variants
>can be foxed by giving them URIs with doubled slashes, which then fail to
>match.  In particular, if the target directory of a ScriptAlias command is
>actually, say, the cgi-bin subdirectory of DocumentRoot, this can be used
>to disable the effects of ScriptAlias.  Here is a patch against *0.8.16*
>which appears to cure the problem:

Hmm, I'm not sure this is the best solution; can we guarantee that
this won't crop up in other modules?

The problem is the original completely bogus no2slash(); there is no
reason why http://host/dira//dirb/file should be the same as
http://host/dira/dirb/file.'

We already don't remove double slashes for CGI script PATH_INFO; I suggest
that we don't remove double slashes anywhere.

So:
1. Remove no2slash()
2. In directory walk (or wherever we match the URL to a file) _reject_
   a filename with a void path segment.

 David.

Mime
View raw message