httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Sutton <p...@ukweb.com>
Subject Re: [linux-security] Security Hole. Appache. (fwd)
Date Fri, 05 Sep 1997 09:56:09 GMT
On Thu, 4 Sep 1997, Alexei Kosut wrote:
> On Thu, 4 Sep 1997, Paul Sutton wrote:
> > Of course there is a security risk for CGI authors who don't both to check
> > REQUEST_METHOD, but if they don't check it then they aren't even
> > processing HEAD vs. GET correctly, or reading any POST data, so their CGIs
> > are wrong. 
> 
> One minor point: Apache handles GET vs. HEAD for scripts. It passes
> REQUEST_METHOD as GET, and cuts off the response after the headers.

Yes, OK, but I didn't think the CGI spec mandated this, so scripts should
still check for HEADs so they'd work under other servers.

//pcs


Mime
View raw message