Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 52920 invoked by uid 500); 1 Nov 2002 20:57:26 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 52906 invoked from network); 1 Nov 2002 20:57:25 -0000 Message-ID: <3DC2EAAF.1828A35B@Golux.Com> Date: Fri, 01 Nov 2002 15:57:19 -0500 From: Rodent of Unusual Size Organization: The Apache Software Foundation X-Mailer: Mozilla 4.79 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: workaround for encoded slashes (%2f) References: <83100D46-EC49-11D6-B519-000393753936@apache.org> <5.1.0.14.2.20021101125959.02c0d5f0@pop3.rowe-clan.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N "William A. Rowe, Jr." wrote: > > Yes, it's a veto to introduce a security hole as a 'starting point' that > someone might get around to cleaning up later. demonstrate that it is a security hole in the server. if you cannot demonstrate that this opens the server to client-side attack, i do not regard the above as a valid technical justification, and do not recognise the veto. vetos require technical justification, not opinion. show me that this opens the server to attack, and i'm there.