httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject Re: workaround for encoded slashes (%2f)
Date Wed, 30 Oct 2002 21:32:45 GMT
"Roy T. Fielding" wrote:
> Your patch will simply let the %2F through, but then a later section
> of code will translate them to / and we've opened a security hole
> in the main server.

have we?  can it be exploited by anything not server-side?  i don't
see how.

>  I'd rather move the rejection code to the place where a
> decision has to be made (like the directory walk)

so would i, but i haven't managed it yet.

i see still using this directive even in that case, except that
it will become or_fileinfo instead of rsrc_conf and will be
able to be specified at finer granularity (such as <files>).

in the meantime, this is a real-world problem.  i'm proposing
an extensible solution to address it, with a default of 'off'
and documentation saying 'if you turn this on your scripts
had better be good, here's why.'
#ken	P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"Millennium hand and shrimp!"

View raw message