httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Havard" <bri...@kheldar.apana.org.au>
Subject Re: Plugging nice big security hole (OS/2)
Date Tue, 21 Jul 1998 01:34:57 GMT
On Mon, 20 Jul 1998 09:17:33 -0700 (PDT), Dean Gaudet wrote:

>If people would just read the goddamn documentation they'd see that
><Location> protects URLs and shouldn't be used for filesystem protection
>at all.
>
>People using a <Location> that results in the default handler or any
>"filesystem" handler deserve the trouble they get.

It concerned me because if I protect the URL http://www.foo.com/bar/private/
with a <Location /bar/private> block I can bypass it by entering the URL
http://www.foo.com/bar/private./

If you're saying that <Location> blocks shouldn't be used this way that's
fine by me.

--
 ______________________________________________________________________________
 |  Brian Havard                 |  "He is not the messiah!                   |
 |  brianh@kheldar.apana.org.au  |  He's a very naughty boy!" - Life of Brian |
 ------------------------------------------------------------------------------


Mime
View raw message