httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: problem with log url overflow found
Date Sat, 11 Jan 1997 23:46:20 GMT
On Sat, 11 Jan 1997, Jason Clary wrote:

> aren't multiple reduntant slashes removed automaticaly at the same time
> ../'s are removed?  From this, I would guess not.. I'll have to
> poke around that part of the code a bit.  But it would seem prudent
> to remove illegal redundancies as the absolute first thing you do
> after you read the request...  There's no reason for multiple slashes
> that I can think of.

You wanna bet on that? Multiple slashes are never removed from
r->filename. They are removed from tests done to see if
<Directory>/<Location>/<Files> sections match, but they stay around
until the end. The reason for this is that there are CGI scripts
around that expect a URL in PATH_INFO,

However, Apache can't determine where the filename starts and the path
info begins until much farther into the request than when it removes
../ and so forth (specifically, directly *after* the stat we're
talking about). This has been examined in thorough detail, trust

Alexei Kosut <>      The Apache HTTP Server

View raw message