httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: sigh. iis...
Date Mon, 05 Jan 1998 04:56:59 GMT
At 11:34 AM 1/4/98 +0000, Ben Laurie wrote:
>Marc Slemko wrote:
>
>> Why does Apache need to resolve /../ at all?
>
>Otherwise people can avoid security.

I think what Marc is saying is, why not throw an error any time .. appears
for a file path, though we should still allow it for PATH_INFO and after a
?.  Seems reasonable to me, any client which sends that after resolving a
HREF="../foo" relative URL has gotta be busted anyways.

	Brian


--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
specialization is for insects				  brian@organic.com

Mime
View raw message