httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Bannert <>
Subject Re: ServerString
Date Tue, 16 Oct 2001 19:47:06 GMT
On Tue, Oct 16, 2001 at 12:05:00PM -0700, Dirk-Willem van Gulik wrote:
> Whilst putting together a set-server-string patch: how strickt should we
> be on the char's allowed in such string. IMHO we should block things like
> \r and \n in it - to stop .htaccess file naughtyness being able to forge
> fake headers and so on.
> But can we justify to be more strickt and only allow A-z0-9 and /.-_;()
> and space ? Or would that stop an experienced admin too much - and rob him
> of her from rightfull shoot-in-the-foot pleasure ?

I think [-/._;()a-zA-Z0-9] is a good place to start (in ASCII-land).
If that is too restrictive we could always expand, but better to be safe
than sorry. Maybe a compile-time option to override the restrictions
would still allow an amount of shoot-in-the-foot goodness.


View raw message