httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject Re: workaround for encoded slashes (%2f)
Date Fri, 01 Nov 2002 17:59:51 GMT
"Roy T. Fielding" wrote:
> Your patch will simply let the %2F through, but then a later section
> of code will translate them to / and we've opened a security hole
> in the main server.  I'd rather move the rejection code to the
> place where a decision has to be made (like the directory walk),
> but I have no time to do it myself.  I think it is reasonable to
> allow %2F under some circumstances, but only in content handlers
> and only as part of path-info and not within the real directory
> structure.

is this a veto?  because i'd like to understand how this
'opens a security hole' available to client-side exploitation
without server-side deficiencies (such as a poorly-coded cgi
script).  if there is none, i don't see why this cannot go
in as a starting point.

View raw message