httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anand Kumria <wildf...@progsoc.uts.edu.au>
Subject Re: [STATUS] Tue Apr 22 19:55:41 PDT 1997
Date Wed, 23 Apr 1997 14:55:32 GMT
On Wed, 23 Apr 1997, Brian Behlendorf wrote:

> On Tue, 22 Apr 1997, Dean Gaudet wrote:
> > Agenda for 1.2b9-dev
> > ====================
> > 
> > Patches available:
> > 
> >     * PR#339: suexec doesn't work with QUERY_STRINGs
> > 	From: Anand Kumria <wildfire@progsoc.uts.edu.au>
> > 	<Pine.SUN.3.95.970420164729.17677C-100000@ftoomsh.progsoc.uts.edu.au>
> 
> Yes yes, this definitely fixes the problem, and without it suexec is not nearly
> as useful.  Hyperreal users now have this available in their ~/public_html/
> directories, if anyone's interested and wants to play.

Well that a -1 from me. I'm not so sure that ~ (tilde) should be removed
from the set of characters Apache should escape. Would anyone else care to
comment on the possible security implications of that change - I assume it
was in there for a reason.

I'll do some work on suexec on the weekend, and have it instead detect
when it's argument have been escaped. I think that a safer solution.

Anand.

--
 `When any government, or any church for that matter, undertakes to say to
  its subjects, "This you may not read, this you must not see, this you are
  forbidden to know," the end result is tyranny and oppression no matter how
  holy the motives' -- Robert A Heinlein, "If this goes on --"


Mime
View raw message