httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Finkenstadt <>
Subject Re: Showstoppers
Date Tue, 05 May 1998 23:59:06 GMT
> 3) What does "magic con/aux/nul/etc names" mean?  Dean, you added this... I
> didn't want to remove it from the showstopper list without knowing what you
> meant.
>     * SECURITY: check if the magic con/aux/nul/etc names do anything
>         really bad

Under Windows, a filename ending in ".../con" or aux, nul, prn, and some
others refer magically to built-in devices from the DOS 1.0 era, where
a program could open up a file named "aux" and be relatively assured
that they were talking to the current auxiliary device, usually the
first communications port (COM1).  The history behind this is actually
very old, but even Windows 95 contains code that checks for DOS-type
device filenames.

What happens when a remote user requests a file "GET /path/to/anywhere/aux
HTTP/1.0"?  Similarly, what happens if .htaccess contains "AuthUserFile
/path/to/con" (ie, console)?  The work to be done is probably very similar
to the checks needed under Unix for character or block devices, pipes,
sockets, symlinks, or directories prior to opening the file for reading
or writing.


View raw message