Received: by taz.hyperreal.com (8.8.3/V2.0) id AAA15941;
 Mon, 13 Jan 1997 00:12:05 -0800 (PST)
Received: from dicsmss1.jrc.it by taz.hyperreal.com (8.8.3/V2.0) with SMTP id
 AAA15924; Mon, 13 Jan 1997 00:11:58 -0800 (PST)
Received: from  jrc.it (elect6.jrc.it) by dicsmss1.jrc.it (4.1/EB-950131-C)
	id AA23845; Mon, 13 Jan 97 09:17:29 +0100
Received: by  jrc.it (5.x/EB-950213-L)
	id AA25850; Mon, 13 Jan 1997 09:11:19 +0100
Date: Mon, 13 Jan 1997 09:11:18 +0100 (MET)
From: Dirk.vanGulik@jrc.it
X-Sender: dirkx@elect6.jrc.it
To: new-httpd@hyperreal.com
Subject: Re: problem with log url overflow found
In-Reply-To: <9701121537.aa21826@gonzo.ben.algroup.co.uk>
Message-Id: <Pine.SOL.3.91.970113090934.25789G-100000@elect6.jrc.it>
Reply-Path: Dirk.vanGulik@jrc.it
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

On Sun, 12 Jan 1997, Ben Laurie wrote:

> Brian Behlendorf wrote:
> > 
> > On Sat, 11 Jan 1997, Alexei Kosut wrote:
> > > On Sat, 11 Jan 1997, Jason Clary wrote:
> > > 
> > > > aren't multiple reduntant slashes removed automaticaly at the same time
> > > > ../'s are removed?  From this, I would guess not.. I'll have to
> > > > poke around that part of the code a bit.  But it would seem prudent
> > > > to remove illegal redundancies as the absolute first thing you do
> > > > after you read the request...  There's no reason for multiple slashes
> > > > that I can think of.

Well; but you are _NOT_ going to touch them; they might be meaningfull
to a script or to a special module... there is no indication whatsoever
in the RFC;s that you HAVE to see the slashes as directory specifiers;
for lots of purposes it is just an opaque string.

> > > You wanna bet on that? Multiple slashes are never removed from
> > > r->filename. They are removed from tests done to see if

And that is how it should be !!!

> > > <Directory>/<Location>/<Files> sections match, but they stay around
> > > until the end. The reason for this is that there are CGI scripts
> > > around that expect a URL in PATH_INFO,
> > > i.e. http://www.server.com/cgi-bin/cgi-script/http://some.url/here
> > > 
> > > However, Apache can't determine where the filename starts and the path
> > > info begins until much farther into the request than when it removes
> > > ../ and so forth (specifically, directly *after* the stat we're
> > > talking about). This has been examined in thorough detail, trust
> > > me.
> > 
> > Could Apache, upon getting the failed stat, strip redundant //'s and try
> > again?
> 
> Since multiple slashes mean nothing to stat we could safely wrapper stat with
> a redundant / remover.
> 
> Has anyone tried this on other servers, as a matter of interest?

HTTP/1.0 404 Not found
Server: Netscape-Enterprise/2.01
Date: Mon, 13 Jan 1997 08:09:52 GMT
Content-length: 207
Content-type: text/html

Is what I get on both the Comm's and Enterprise one's.
 
> Cheers,
> 
> Ben.
> 
> -- 
> Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
> Freelance Consultant and  Fax:   +44 (181) 994 6472
> Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
> A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
> London, England.          Apache-SSL author
> 


http://ewse.ceo.org                         http://enrm.ceo.org
DWvGulik@Dialis.xs4all.nl                  Dirk.vanGulik@jrc.it
+39 332 78 0014                                 +39 332 78 9549
                                            fax +39 332 78 9185

ISEI/ESBA;                     The Center For Earth Observation
Joint Research Centre of the European Communities, Ispra, Italy