httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: Spaces in Win32 executable names
Date Fri, 22 Aug 1997 17:40:17 GMT
Martin Kraemer wrote:
> Elizabeth Mattijsen wrote,
> > Wouldn't it make sense then to indeed only check the requested filename
> > with the long filename and not allow any munged filenames as a requested
> > filename at all?
> That would be what I'd propose.
> If one ever needs to access "old" files, there's no problem either
> because their short name==long name (minus possible case difference).
> The original problem, if I followed the thread correctly, was that when
> executing (CGI-?) programs, windows experiences bugs when long program
> names are used.

No, the original problem was that people could bypass security by using
the other form of the name. Requiring the user to secure both short and
long name seemed a bad solution, especially given that short names are
not deterministic.

> However, when doing this...:
>   C> copy \ "not a"
>   1 File(s) copied
>   C> "not a shell"  /c dir
>   NOTASH~1.COM      95.382  21.10.96   7:04 not a
> we can see that programs with spaces in their names can be executed, too.

Yes, but you have to quote them. As I reported yesterday, without
quoting it doesn't work (even though it should). I could work around it,
but currently I decline to cure all Win32's ills. If someone else wants
to, feel free.



Ben Laurie            |Phone: +44 (181) 994 6435|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 994 6472|
and Technical Director|Email: |Apache-SSL author
A.L. Digital Ltd,     |
London, England.      |"Apache: TDG"

View raw message