httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject Re: double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux)
Date Fri, 03 Nov 1995 18:02:00 GMT
>  1. Remove no2slash()
>  2. In directory walk (or wherever we match the URL to a file) _reject_
>     a filename with a void path segment.
>
>-1.  This problem, if there is a problem, is in the alias code exclusively.
>The directory walk code is not implicated, and I see no reason to mess with
>it without due cause, at this point in the release cycle --- that being a
>clear bug which has to do directly with it.

Well, here's my vote on your patch:
-1 overcomplicated; simpler alternative is better, particularly considering
   the timing, and is available

the comment should sound familiar; you made it about 34_htgroup.

You patch is unnecesarily complicated. It adds a new routine to the
Alias module; my patch is essentially a 3-line change to http_request.c.

Your patch is an ad-hoc solution to the problem that was created by
allowing multiple slashes in a URL. Your patch does not fix the identical
(but less serious) bugs in UserDir and AddDescription, and anywhere else
that a URL is parsed.

My patch solves all these by simply disallowing URLs with repeated slashes.

After all your comments about large changes being bad just before a
1.0 release, you will have to argue very strongly to convince me that your
much larger patch is appropriate.

 David.

Mime
View raw message