httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stipe Tolj <t...@wapme-systems.de>
Subject Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
Date Thu, 05 Feb 2004 02:07:55 GMT
Stipe Tolj wrote:
> 
> Hi Roy,
> 
> "Roy T. Fielding" wrote
> >
> > -1.  Reject the request with a 400 error instead.
> 
> actually a standard (apache layout) install (from source) on a linux
> box with the URI described in the bug report gives also a 404, and
> *not* a 400 in response.
> 
> So we get the same behaviour on cygwin as on linux?! Why is the
> behaviour on cygwin then "more wrong"?

which does not mean that I'm veto'ing the -1 in terms of HTTP response
code semantics. That's ok for me and actually I would be +1 for
responding 400 to a "non-valid, abussing" URI. But just to mention
that the linux install did the same. So either we should have it
changed generically, but not specifically for cygwin IMO.

Stipe

mailto:tolj@wapme-systems.de
-------------------------------------------------------------------
Wapme Systems AG

Münsterstr. 248
40470 Düsseldorf, NRW, Germany

phone: +49.211.74845.0
fax: +49.211.74845.299

mailto:info@wapme-systems.de
http://www.wapme-systems.de/
-------------------------------------------------------------------

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (Cygwin)

mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS
OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2
nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT
dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv
bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID
AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl
OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ
K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H
g2HyLAEKQIp30Q==
=aYCI
-----END PGP PUBLIC KEY BLOCK-----

Mime
View raw message