httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: cvs commit: httpd-2.0/docs/manual/vhosts fd-limits.html.en
Date Sun, 16 Jun 2002 02:15:17 GMT
Rich Bowen wrote:
> On Sat, 15 Jun 2002, Joshua Slive wrote:

> 
>>It is fairly similar to yours, but not quite the same.  Both your script
>>and the one in httpd-2.0 are missing a necessary security fix from the
>>1.3 version (strip slashes from the vhost name).
> 
> 
> Can you elaborate on that? Why would the vhost name ever have a slash in
> it? I can see that it could be a security problem, but how would one
> ever get in there?

I guess you can put pretty much whatever you like in the Host: header. 
It is not a major security whole, in my opinion, but it is better not 
allowed.  Cliff just checked in a fix to get rid of the problem in 
httpd-2.0.

Joshua.



---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message