Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 60486 invoked by uid 500); 29 Oct 2001 15:30:43 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 60475 invoked from network); 29 Oct 2001 15:30:43 -0000 Message-ID: <064c01c1608e$aee154f0$93c0b0d0@roweclan.net> From: "William A. Rowe, Jr." To: References: Subject: Re: multiviews and query string Date: Mon, 29 Oct 2001 09:26:24 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-OriginalArrivalTime: 29 Oct 2001 15:30:47.0871 (UTC) FILETIME=[AEE154F0:01C1608E] X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N From: "Joshua Slive" Sent: Monday, October 29, 2001 9:20 AM > Sorry, I don't have time to confirm this myself, but there seems to be a > problem with the recent multiviews fix in 1.3.22: > > http://bugs.apache.org/index.cgi/full/8628 > http://bugs.apache.org/index.cgi/full/8582 > http://bugs.apache.org/index.cgi/full/8538 Yup, that's what it sounds like. The old bug in some cases rejected the index.html.xx query args (in the core handler) causing autoindex to serve the page since the core refused to deal with these args. The right fix is probably to revert this change, and instead assure that the core handler always accepts (even as it ignores) the query args, so this problem will go away, but the vulnerability will remain closed. I'll take a look at this midweek on both 1.3 and 2.0. Bill