httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Dean Gaudet)
Subject Re: security hole redux
Date Thu, 28 Nov 1996 10:02:39 GMT
It would seem prudent to add a feature to mod_dir that makes it require
a particular file (say .htautoindex) to exist in a directory before it
will generate an index.  How many times have we run into problems where
mod_dir can be coaxed into giving out the directory listing?


In article <>,
Brian Behlendorf  <> wrote:
>I will veto any release of Apache 1.2 with the security hole I mentioned
>earlier this week.  Can someone familiar with content negotiation and mod_dir
>please look into this issue?  My guess is that mod_dir is specified as a
>handler for */*, and when mod_negotiation declines the request by finding no
>acceptable variant, mod_dir kicks in.  But I don't really know that stretch of
>code.  I will try to look into it today, but I'm way behind on the
>learning curve.
>	Brian

View raw message