httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@covalent.net>
Subject Re: multiviews and query string
Date Mon, 29 Oct 2001 15:26:24 GMT
From: "Joshua Slive" <joshua@slive.ca>
Sent: Monday, October 29, 2001 9:20 AM


> Sorry, I don't have time to confirm this myself, but there seems to be a
> problem with the recent multiviews fix in 1.3.22:
> 
> http://bugs.apache.org/index.cgi/full/8628
> http://bugs.apache.org/index.cgi/full/8582
> http://bugs.apache.org/index.cgi/full/8538

Yup, that's what it sounds like.

The old bug in some cases rejected the index.html.xx query args (in the
core handler) causing autoindex to serve the page since the core refused
to deal with these args.

The right fix is probably to revert this change, and instead assure that
the core handler always accepts (even as it ignores) the query args, so
this problem will go away, but the vulnerability will remain closed.

I'll take a look at this midweek on both 1.3 and 2.0.

Bill


Mime
View raw message