httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: sigh. iis...
Date Mon, 05 Jan 1998 13:27:32 GMT
Brian Behlendorf wrote:
> 
> At 11:34 AM 1/4/98 +0000, Ben Laurie wrote:
> >Marc Slemko wrote:
> >
> >> Why does Apache need to resolve /../ at all?
> >
> >Otherwise people can avoid security.
> 
> I think what Marc is saying is, why not throw an error any time .. appears
> for a file path, though we should still allow it for PATH_INFO and after a
> ?.  Seems reasonable to me, any client which sends that after resolving a
> HREF="../foo" relative URL has gotta be busted anyways.
> 

Agreed... Who knows, maybe we can even have some sort of "risk assessment"
of the '..' depending on where/how it's placed :/

-- 
====================================================================
      Jim Jagielski            |       jaguNET Access Services
     jim@jaguNET.com           |       http://www.jaguNET.com/
            "Look at me! I'm wearing a cardboard belt!"

Mime
View raw message