httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: Showstoppers
Date Wed, 06 May 1998 00:24:05 GMT
Yup thanks, this is exactly what I'm referring to. 

Dean

On Tue, 5 May 1998, Andy Finkenstadt wrote:

> > 3) What does "magic con/aux/nul/etc names" mean?  Dean, you added this... I
> > didn't want to remove it from the showstopper list without knowing what you
> > meant.
> > 
> > WIN32 1.3 FINAL RELEASE SHOWSTOPPERS:
> > 
> >     * SECURITY: check if the magic con/aux/nul/etc names do anything
> >         really bad
> 
> Under Windows, a filename ending in ".../con" or aux, nul, prn, and some
> others refer magically to built-in devices from the DOS 1.0 era, where
> a program could open up a file named "aux" and be relatively assured
> that they were talking to the current auxiliary device, usually the
> first communications port (COM1).  The history behind this is actually
> very old, but even Windows 95 contains code that checks for DOS-type
> device filenames.
> 
> What happens when a remote user requests a file "GET /path/to/anywhere/aux
> HTTP/1.0"?  Similarly, what happens if .htaccess contains "AuthUserFile
> /path/to/con" (ie, console)?  The work to be done is probably very similar
> to the checks needed under Unix for character or block devices, pipes,
> sockets, symlinks, or directories prior to opening the file for reading
> or writing.
> 
> Andy
> 
> 


Mime
View raw message