Received: by taz.hyperreal.com (8.6.12/8.6.5) id HAA26803; Mon, 6 Nov 1995 07:33:52 -0800 Received: from luers.qosina.com by taz.hyperreal.com (8.6.12/8.6.5) with ESMTP id HAA26793; Mon, 6 Nov 1995 07:33:49 -0800 Received: from guru.qosina.com (guru.qosina.com [206.64.187.50]) by luers.qosina.com (8.6.11/8.6.9) with SMTP id LAA08286 for ; Mon, 6 Nov 1995 11:31:45 -0500 Date: Mon, 6 Nov 1995 11:31:45 -0500 Message-Id: <199511061631.LAA08286@luers.qosina.com> X-Sender: awm@qosina.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: new-httpd@hyperreal.com From: "Aram W. Mirzadeh" Subject: Re: double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux) Sender: owner-new-httpd@apache.org Precedence: bulk Reply-To: new-httpd@apache.org Then I would suggest someone to come up with a letter for initial complainer. He wanted an answer, and I told him we would have one for him. At 10:05 AM 11/6/95 -0500, you wrote: > RST: THERE IS A BUG. Apache is NOT compatible with NCSA httpd in this > respect. > >No there is not --- NCSA 1.3 handles Alias comparisons the same way as >the current 0.8.16 code --- by straight comparison with initial substrings. >The "ban //" hack is the one which *introduces* an incompatibility, which >is the reason I am dead set to veto it. > >As to the site which has "suffered consequences" --- it was misconfigured. >PERIOD. FULL STOP. > >Even if you feel compelled to make this misconfigured site "work" --- >as I do not --- it is possible to "fix" it without breaking pointers >to my site which people have come to rely on --- the first patch I >submitted accomplishes that. (NB that "security" problems come with >ScriptAlias *only*, so mucking around with other code would be an >unnecessary, and hence *highly* undersirable, complication). > >rst > > -- Aram W. Mirzadeh, MIS Manager, Qosina Corporation http://www.qosina.com/~awm/, awm@qosina.com Apache httpd server team http://www.apache.org