httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dgau...@hotwired.com (Dean Gaudet)
Subject Re: security hole redux
Date Thu, 28 Nov 1996 10:02:39 GMT
It would seem prudent to add a feature to mod_dir that makes it require
a particular file (say .htautoindex) to exist in a directory before it
will generate an index.  How many times have we run into problems where
mod_dir can be coaxed into giving out the directory listing?

Dean

In article <hot.mailing-lists.new-httpd-Pine.GSO.3.95.961127105346.28147D-100000@eat.organic.com>,
Brian Behlendorf  <new-httpd@hyperreal.com> wrote:
>
>I will veto any release of Apache 1.2 with the security hole I mentioned
>earlier this week.  Can someone familiar with content negotiation and mod_dir
>please look into this issue?  My guess is that mod_dir is specified as a
>handler for */*, and when mod_negotiation declines the request by finding no
>acceptable variant, mod_dir kicks in.  But I don't really know that stretch of
>code.  I will try to look into it today, but I'm way behind on the
>learning curve.
>
>	Brian
>
>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS
>



Mime
View raw message