httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Re: sigh. iis...
Date Mon, 05 Jan 1998 04:56:59 GMT
At 11:34 AM 1/4/98 +0000, Ben Laurie wrote:
>Marc Slemko wrote:
>> Why does Apache need to resolve /../ at all?
>Otherwise people can avoid security.

I think what Marc is saying is, why not throw an error any time .. appears
for a file path, though we should still allow it for PATH_INFO and after a
?.  Seems reasonable to me, any client which sends that after resolving a
HREF="../foo" relative URL has gotta be busted anyways.


specialization is for insects

View raw message