httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: cvs commit: apache-1.3/src/modules/standard mod_cgi.c
Date Sun, 01 Nov 1998 07:23:41 GMT
On 1 Nov 1998 wrote:

> marc        98/10/31 17:08:45
>   Modified:    src/modules/standard mod_cgi.c
>   Log:
>   If we can't find a script and magically try adding ".EXE" to it, then
>   do not log can't find foo.EXE, but just foo.  This avoids confusing
>   people.

Thinking about it, this auto adding .EXE is just a bad scene
and needs to be removed unless someone can justify it.  The problem
is that it introduces a security hole; if someone protects
"foo.exe", then someone can bypass that protection by using "foo".

View raw message