Received: by taz.hyperreal.com (8.6.12/8.6.5) id HAA15740;
 Sun, 5 Nov 1995 07:58:52 -0800
Received: from cass41 by taz.hyperreal.com (8.6.12/8.6.5) with SMTP id
 HAA15725; Sun, 5 Nov 1995 07:58:29 -0800
Received: from mamba.ast.cam.ac.uk by cass41 with smtp
	(Smail3.1.29.1 #9) id m0tC7Rd-000CMCC; Sun, 5 Nov 95 15:57 GMT
Received: by mamba.ast.cam.ac.uk (Smail3.1.29.1 #9)
	id m0tC7Rd-0000m6C; Sun, 5 Nov 95 15:57 GMT
Message-Id: <m0tC7Rd-0000m6C@mamba.ast.cam.ac.uk>
Date: Sun, 5 Nov 95 15:57 GMT
From: drtr@ast.cam.ac.uk (David Robinson)
To: new-httpd@hyperreal.com
Subject: Re:  double slashes (was Re:  WWW Form Bug Report: "Security bug
 involving ScriptAliased directories" on Linux)
Content-Length: 850
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

>Unfotunately, David's patch *does* break something, to wit, the
>following entry from my access restrictions:
>
>  <Directory /com/web/docs/xperimental/info-gateway/abs>
>  <Limit GET>
>  order deny,allow
>  deny from all
>  allow from 128.52
>  </Limit>
>  </Directory>

I never imagined anyone doing that! However, I suppose it might be useful,
so I prefer your latest patch.

>However, I am increasingly convinced that this simply isn't worth "fixing"
>--- the problem only arises with certain oddball configurations which 
>people can simply be told to avoid, and *any* attempt to fix it seems to
>cause problems at least as severe.

This _is_ a bug, and should be fixed. I might not consider it a 'showstopper',
but I think it would be peverse not to fix it in 0.8.17, (or, for that matter,
any other bugs for which we have patches.)

 David.