Received: by taz.hyperreal.com (8.6.12/8.6.5) id HAA25173;
 Mon, 6 Nov 1995 07:06:04 -0800
Received: from life.ai.mit.edu by taz.hyperreal.com (8.6.12/8.6.5) with SMTP
 id HAA25167; Mon, 6 Nov 1995 07:06:02 -0800
Received: from volterra.ai.mit.edu by life.ai.mit.edu (4.1/AI-4.10) for
 new-httpd@hyperreal.com id AA10046; Mon, 6 Nov 95 10:05:54 EST
From: rst@ai.mit.edu (Robert S. Thau)
Received: by volterra.ai.mit.edu (8.6.12/AI-4.10) id KAA04738;
 Mon, 6 Nov 1995 10:05:52 -0500
Date: Mon, 6 Nov 1995 10:05:52 -0500
Message-Id: <199511061505.KAA04738@volterra.ai.mit.edu>
To: new-httpd@hyperreal.com
Subject: Re: double slashes (was Re:  WWW Form Bug Report: "Security bug
 involving ScriptAliased directories" on Linux)
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

  RST: THERE IS A BUG. Apache is NOT compatible with NCSA httpd in this
  respect.

No there is not --- NCSA 1.3 handles Alias comparisons the same way as
the current 0.8.16 code --- by straight comparison with initial substrings.
The "ban //" hack is the one which *introduces* an incompatibility, which
is the reason I am dead set to veto it.

As to the site which has "suffered consequences" --- it was misconfigured.
PERIOD.  FULL STOP.

Even if you feel compelled to make this misconfigured site "work" ---
as I do not --- it is possible to "fix" it without breaking pointers
to my site which people have come to rely on --- the first patch I
submitted accomplishes that.  (NB that "security" problems come with
ScriptAlias *only*, so mucking around with other code would be an
unnecessary, and hence *highly* undersirable, complication).

rst