httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: cvs commit: apache-1.3/src/modules/standard mod_cgi.c
Date Sun, 01 Nov 1998 12:20:26 GMT
Marc Slemko wrote:
> 
> On 1 Nov 1998 marc@hyperreal.org wrote:
> 
> > marc        98/10/31 17:08:45
> >
> >   Modified:    src/modules/standard mod_cgi.c
> >   Log:
> >   If we can't find a script and magically try adding ".EXE" to it, then
> >   do not log can't find foo.EXE, but just foo.  This avoids confusing
> >   people.
> 
> Thinking about it, this auto adding .EXE is just a bad scene
> and needs to be removed unless someone can justify it.  The problem
> is that it introduces a security hole; if someone protects
> "foo.exe", then someone can bypass that protection by using "foo".

Yeah - as if we didn't have enough problems with aliasing on Win32. I
agree it should go.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

Mime
View raw message