httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: cvs commit: apache-1.3/src/modules/standard mod_cgi.c
Date Sun, 01 Nov 1998 14:11:55 GMT
Agreed

Ben Laurie wrote:
> 
> Marc Slemko wrote:
> > 
> > On 1 Nov 1998 marc@hyperreal.org wrote:
> > 
> > > marc        98/10/31 17:08:45
> > >
> > >   Modified:    src/modules/standard mod_cgi.c
> > >   Log:
> > >   If we can't find a script and magically try adding ".EXE" to it, then
> > >   do not log can't find foo.EXE, but just foo.  This avoids confusing
> > >   people.
> > 
> > Thinking about it, this auto adding .EXE is just a bad scene
> > and needs to be removed unless someone can justify it.  The problem
> > is that it introduces a security hole; if someone protects
> > "foo.exe", then someone can bypass that protection by using "foo".
> 
> Yeah - as if we didn't have enough problems with aliasing on Win32. I
> agree it should go.
> 
> Cheers,
> 
> Ben.
> 
> -- 
> Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
> Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
> and Technical Director|Email: ben@algroup.co.uk |
> A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
> London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/
> 


-- 
===========================================================================
   Jim Jagielski   |||   jim@jaguNET.com   |||   http://www.jaguNET.com/
            "That's no ordinary rabbit... that's the most foul,
            cruel and bad-tempered rodent you ever laid eyes on"

Mime
View raw message