httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Havard" <bri...@kheldar.apana.org.au>
Subject Plugging nice big security hole (OS/2)
Date Mon, 20 Jul 1998 07:32:53 GMT
My testing shows that OS/2 suffers the same problem as Win32 with trailing
dots on directory names and I'm trying to do something about it.

As it stand, you can bypass protection of a directory by adding a dot at the
end. I've written an ap_os_canonical_filename() that removes the trailing
dots (and does a few other things) and that seems to secure <Directory> type
access restrictions but <Location> types are still vunerable. What can I do
to fix them?

--
 ______________________________________________________________________________
 |  Brian Havard                 |  "He is not the messiah!                   |
 |  brianh@kheldar.apana.org.au  |  He's a very naughty boy!" - Life of Brian |
 ------------------------------------------------------------------------------


Mime
View raw message