httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: problem with log url overflow found
Date Sun, 12 Jan 1997 15:37:24 GMT
Brian Behlendorf wrote:
> 
> On Sat, 11 Jan 1997, Alexei Kosut wrote:
> > On Sat, 11 Jan 1997, Jason Clary wrote:
> > 
> > > aren't multiple reduntant slashes removed automaticaly at the same time
> > > ../'s are removed?  From this, I would guess not.. I'll have to
> > > poke around that part of the code a bit.  But it would seem prudent
> > > to remove illegal redundancies as the absolute first thing you do
> > > after you read the request...  There's no reason for multiple slashes
> > > that I can think of.
> > 
> > You wanna bet on that? Multiple slashes are never removed from
> > r->filename. They are removed from tests done to see if
> > <Directory>/<Location>/<Files> sections match, but they stay around
> > until the end. The reason for this is that there are CGI scripts
> > around that expect a URL in PATH_INFO,
> > i.e. http://www.server.com/cgi-bin/cgi-script/http://some.url/here
> > 
> > However, Apache can't determine where the filename starts and the path
> > info begins until much farther into the request than when it removes
> > ../ and so forth (specifically, directly *after* the stat we're
> > talking about). This has been examined in thorough detail, trust
> > me.
> 
> Could Apache, upon getting the failed stat, strip redundant //'s and try
> again?

Since multiple slashes mean nothing to stat we could safely wrapper stat with
a redundant / remover.

Has anyone tried this on other servers, as a matter of interest?

Cheers,

Ben.

-- 
Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
London, England.          Apache-SSL author

Mime
View raw message