httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject Re: cvs commit: httpd-2.0/docs/manual/vhosts fd-limits.html.en
Date Sun, 16 Jun 2002 02:15:17 GMT
Rich Bowen wrote:
> On Sat, 15 Jun 2002, Joshua Slive wrote:

>>It is fairly similar to yours, but not quite the same.  Both your script
>>and the one in httpd-2.0 are missing a necessary security fix from the
>>1.3 version (strip slashes from the vhost name).
> Can you elaborate on that? Why would the vhost name ever have a slash in
> it? I can see that it could be a security problem, but how would one
> ever get in there?

I guess you can put pretty much whatever you like in the Host: header. 
It is not a major security whole, in my opinion, but it is better not 
allowed.  Cliff just checked in a fix to get rid of the problem in 


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message