httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@nueva.pvt.k12.ca.us>
Subject Re: problem with log url overflow found
Date Sat, 11 Jan 1997 23:46:20 GMT
On Sat, 11 Jan 1997, Jason Clary wrote:

> aren't multiple reduntant slashes removed automaticaly at the same time
> ../'s are removed?  From this, I would guess not.. I'll have to
> poke around that part of the code a bit.  But it would seem prudent
> to remove illegal redundancies as the absolute first thing you do
> after you read the request...  There's no reason for multiple slashes
> that I can think of.

You wanna bet on that? Multiple slashes are never removed from
r->filename. They are removed from tests done to see if
<Directory>/<Location>/<Files> sections match, but they stay around
until the end. The reason for this is that there are CGI scripts
around that expect a URL in PATH_INFO,
i.e. http://www.server.com/cgi-bin/cgi-script/http://some.url/here

However, Apache can't determine where the filename starts and the path
info begins until much farther into the request than when it removes
../ and so forth (specifically, directly *after* the stat we're
talking about). This has been examined in thorough detail, trust
me.

-- 
________________________________________________________________________
Alexei Kosut <akosut@nueva.pvt.k12.ca.us>      The Apache HTTP Server
URL: http://www.nueva.pvt.k12.ca.us/~akosut/   http://www.apache.org/


Mime
View raw message