Ryan Bloom wrote:
>>From: Ben Laurie [mailto:ben@algroup.co.uk]
>>
>>Cliff Woolley wrote:
>>
>>>On Mon, 3 Jun 2002, Ryan Bloom wrote:
>>>
>>>
>>>
>>>>I was actually just about to look at this problem if you are busy.
>>>
>>>
>>>Go for it... I'm working on something else.
>>
>>Perhaps its just me, but I'm amused this is considered a bug.
>
>
> It's a security hole IMO. The problem is that if you rewrite the URL
> .*, then the error URL that mod_ssl will be rewritten. This means that
> you can serve information over HTTP that was supposed to be restricted
> to HTTPS.
Sorry, I don't understand this - seems like you missed a word or two out?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
|