httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <>
Subject Re: [PATCH]: check_hostalias (was Re: [STATUS] 1.2.5....)
Date Mon, 29 Sep 1997 06:53:48 GMT
> The second problem is a potential security hole. It's fairly minor, but
> is something people might easily overlook: if any virtual host is
> protected by packet-filter or firewall ip based rules, but not by Apache's
> ip-based protection (which is plausible, if unlikely), then that host may
> be accessible through it's name (given a couple of conditions which I can
> outline) -- something you would not (IMO) expect w/o reading the code.

We put in ugly hack to fix this here; I just replaced that with yours and it
works fine.

Nice piece of work !

+1. (only tested for the this fix)


View raw message