httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@lnd.com>
Subject RE: cvs commit: apache-1.3/src CHANGES
Date Thu, 15 Jun 2000 19:13:37 GMT
I don't know that I'm happy with this patch...

If I read it right... the only test is for the string "cgi-bin"?
If the user has set up "top-secret" as their ScriptAlias directive
for the vhost, then http://my.site.org//top-secret is still broken?

Bill

> -----Original Message-----
> From: fanf@locus.apache.org [mailto:fanf@locus.apache.org]
> Sent: Wednesday, June 14, 2000 7:32 PM
> To: apache-1.3-cvs@apache.org
> Subject: cvs commit: apache-1.3/src CHANGES
> 
> 
> fanf        00/06/14 17:31:41
> 
>   Modified:    src      CHANGES
>   Log:
>   If the CGI directory is under the document root and a user makes a
>   request for something like http://www.example.com//cgi-bin/foo.cgi
>   then they will get the source code for the CGI rather than 
> its output
>   without this fix.
>   
>   Reported by: "Paul Perkins" <paulp@despam.penguinpowered.com>
>   in comp.infosystems.www.servers.unix
>   <news:960999105.344321@ernani.logica.co.uk>
>   
>   Revision  Changes    Path
>   1.1557    +6 -0      apache-1.3/src/CHANGES
>   
>   Index: CHANGES
>   ===================================================================
>   RCS file: /home/cvs/apache-1.3/src/CHANGES,v
>   retrieving revision 1.1556
>   retrieving revision 1.1557
>   diff -u -r1.1556 -r1.1557
>   --- CHANGES	2000/06/12 21:54:23	1.1556
>   +++ CHANGES	2000/06/15 00:31:37	1.1557
>   @@ -1,5 +1,11 @@
>    Changes with Apache 1.3.13
>    
>   +  *) Prevent the source code for CGIs from being revealed 
> when using
>   +     mod_vhost_alias and the CGI directory is under the 
> document root
>   +     and a user makes a request like 
http://www.example.com//cgi-bin/cgi
  +     as reported in <news:960999105.344321@ernani.logica.co.uk>
  +     [Tony Finch]
  +
     *) Under Win32, The console input mode is fixed to ignore mouse events 
        and always listen for a Ctrl+C interrupt, even if the console window
        defaults to another mode. [William Rowe]
  
  
  


Mime
View raw message