httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: Considering general/PR7357: URLs containing invalid paths in combination with .. are served
Date Mon, 05 Mar 2001 22:05:08 GMT
On Mon, 5 Mar 2001, William A. Rowe, Jr. wrote:
>
> > On Mon, 5 Mar 2001, William A. Rowe, Jr. wrote:
> >
> > > I'm thinking FilesystemOptions [[+|-]EtagInode] [[+|-]CanonicalRedirect]
>
> Options?  Well we have IndexOptions for indexing, Options for whatever
> http does, and FilesystemOptions for what the file system does.
>

Let me try to clarify one more time.  (My fault; I'm being very opaque
today, in addition to clumsy.)

I think the best solution to the reported problem is something like this
in httpd.conf (untested):

SetEnvIf Request_URI "\.\." funnyurl
SetEnvIf Request_URI "//" funnyurl
Deny from env=funnyurl

(You could also use a RedirectMatch if you want to be more friendly.)

I agree with Ken that it is not good to do too much magic behind the
scenes.

Regarding the syntax issue, I guess my main problem is with the "+|-"
notation which I think people find very confusing.

Jsohua.



Mime
View raw message