httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject Request for Information (fwd)
Date Thu, 28 Nov 1996 08:48:24 GMT

not acked.

----- Forwarded message from Garo Kiremidjian -----

From: Garo Kiremidjian <GaroK@k2inc.com>
To: 'Apache' <apache-bugs@apache.org>
Subject: Request for Information
Date: Wed, 27 Nov 1996 17:11:21 -0800
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Has the bug reported by Dean Gaudet been fixed? (The report by Dean
Gaudet appears below)

Hostnames such as "123.hotwired.com" are valid, yet find_allowdeny does 
not properly handle them. This should be put on Known Bugs. Be careful 
when fixing this because just removing the isalpha() check creates a 
security hole, consider the DNS map "1.1.1.1.in-addr.arpa IN PTR 2.2.2."
if the user has a config line "allow from 2.2.2" it will allow 1.1.1.1 
in (unless -DMAXIMUM_DNS). -- which is bad because it breaks people who 
understand double reverse lookup and are trying to avoid it by using 
only ip addresses on allow/deny statements. - reported by Dean Gaudet

----- End of forwarded message from Garo Kiremidjian -----

-- 
Rob Hartill.       Internet Movie Database Ltd.    http://www.imdb.com/  

Mime
View raw message