httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: sigh. iis...
Date Mon, 05 Jan 1998 10:05:30 GMT
Brian Behlendorf wrote:
> 
> At 11:34 AM 1/4/98 +0000, Ben Laurie wrote:
> >Marc Slemko wrote:
> >
> >> Why does Apache need to resolve /../ at all?
> >
> >Otherwise people can avoid security.
> 
> I think what Marc is saying is, why not throw an error any time .. appears
> for a file path, though we should still allow it for PATH_INFO and after a
> ?.  Seems reasonable to me, any client which sends that after resolving a
> HREF="../foo" relative URL has gotta be busted anyways.

If that's what he was saying, then I agree.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Mime
View raw message