httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject Re: [Fwd: Apache Security Problem]
Date Wed, 10 Apr 1996 16:53:03 GMT
>Does anyone know of a reason why all occurances of "..\" in a URL can't be
>translated to "../"? The security hole is caused by the fact that "..\" under
>OS/2 is equivalent to "../" under UNIX. If I translate them and let Apache do
>its regulary testing the proper response will be returned.

If filenames under OS/2 cannot contain '\', then I'd strongly recommend
getting Apache to reject paths containing that character.

A simple fix would be to reject all URLs containing \ as part of the
path, just after, and in a similar manner to unescape_url().

A more sophisticated (and difficult) fix would integrate this check into
the get_path_info code; this would allow /dir/script.cgi/some\data.

Any other approach is likely to run into problems somewhere.

 David.

Mime
View raw message