httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: cvs commit: httpd-2.0/server core.c request.c util.c
Date Wed, 19 Mar 2003 19:31:37 GMT
At 12:57 PM 3/19/2003, William A. Rowe, Jr. wrote:

>It would be best if we unparsed and tracked the offsets in the source and
>unescaped query strings of individual components (scheme, user, host,
>path, path_info and query).  We could do something as simple as counting
>the number of slashes in the source and target paths, and failing only when
>those two components mismatch.

Whoh...

This would be even more cool for Win32.  Folks abusing backslashes
for slashes in the 'real path' could be caught (our dir_walk is twisting those
backslashes into slashes, but we rejected those backslashes long before
we got that far.)  But backslashes would become legit in the path_info
and query args on Win32.

This last (most sophisticated) solution fixes even more problems 
than I originally thought.  Counting slashes could be very cool.

Bill



Mime
View raw message