httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <fri...@friedo.com>
Subject Re: [PATCH] Query string parsing for mod_include.c
Date Tue, 09 Sep 2003 08:07:59 GMT
Hi, Andre. Thanks for your feedback. I will definately port this to the
2.1 branch and submit a new patch.

> - one should recognize ; as delimiter as well (ok, trivial)

Easy enough.

> - to circumvent the security flaw, I'd suggest to extend the #set
> handler
>   instead, for example:
>     <!--#set var="foo" query="param_name" -->, which would be really
> safe.
>   I'm not sure, whether the query parameter should be expanded.
> Opinions?

Another idea I thought of was to put the query string vars in a seperate
table, and have a special prefix for accessing that table, (something like
@var instead of $var.) That would prevent overwriting important stuff in
subprocess_env. I also like your idea, though it is a bit more cumbersome
for the person writing the SSI.

> - The second one could be solved with things like
>   <!#--set var="foo" query="param_name[i]" -->, where i starts with 0 or
> 1 (?).

It should start with zero of course. :P




Mime
View raw message