httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk.vanGu...@jrc.it
Subject Re: problem with log url overflow found
Date Mon, 13 Jan 1997 08:11:18 GMT
On Sun, 12 Jan 1997, Ben Laurie wrote:

> Brian Behlendorf wrote:
> > 
> > On Sat, 11 Jan 1997, Alexei Kosut wrote:
> > > On Sat, 11 Jan 1997, Jason Clary wrote:
> > > 
> > > > aren't multiple reduntant slashes removed automaticaly at the same time
> > > > ../'s are removed?  From this, I would guess not.. I'll have to
> > > > poke around that part of the code a bit.  But it would seem prudent
> > > > to remove illegal redundancies as the absolute first thing you do
> > > > after you read the request...  There's no reason for multiple slashes
> > > > that I can think of.

Well; but you are _NOT_ going to touch them; they might be meaningfull
to a script or to a special module... there is no indication whatsoever
in the RFC;s that you HAVE to see the slashes as directory specifiers;
for lots of purposes it is just an opaque string.

> > > You wanna bet on that? Multiple slashes are never removed from
> > > r->filename. They are removed from tests done to see if

And that is how it should be !!!

> > > <Directory>/<Location>/<Files> sections match, but they stay
around
> > > until the end. The reason for this is that there are CGI scripts
> > > around that expect a URL in PATH_INFO,
> > > i.e. http://www.server.com/cgi-bin/cgi-script/http://some.url/here
> > > 
> > > However, Apache can't determine where the filename starts and the path
> > > info begins until much farther into the request than when it removes
> > > ../ and so forth (specifically, directly *after* the stat we're
> > > talking about). This has been examined in thorough detail, trust
> > > me.
> > 
> > Could Apache, upon getting the failed stat, strip redundant //'s and try
> > again?
> 
> Since multiple slashes mean nothing to stat we could safely wrapper stat with
> a redundant / remover.
> 
> Has anyone tried this on other servers, as a matter of interest?

HTTP/1.0 404 Not found
Server: Netscape-Enterprise/2.01
Date: Mon, 13 Jan 1997 08:09:52 GMT
Content-length: 207
Content-type: text/html

Is what I get on both the Comm's and Enterprise one's.
 
> Cheers,
> 
> Ben.
> 
> -- 
> Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
> Freelance Consultant and  Fax:   +44 (181) 994 6472
> Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
> A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
> London, England.          Apache-SSL author
> 


http://ewse.ceo.org                         http://enrm.ceo.org
DWvGulik@Dialis.xs4all.nl                  Dirk.vanGulik@jrc.it
+39 332 78 0014                                 +39 332 78 9549
                                            fax +39 332 78 9185

ISEI/ESBA;                     The Center For Earth Observation
Joint Research Centre of the European Communities, Ispra, Italy


Mime
View raw message