httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: Improper string concatenation in mod_alias allows code execution out of bounds defined in apache config file.
Date Mon, 08 Feb 2016 16:26:29 GMT
quite old: http://svn.apache.org/viewcvs?rev=326143&view=rev

On Mon, Feb 8, 2016 at 11:25 AM, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
> On Mon, Feb 8, 2016 at 10:20 AM, William A Rowe Jr <wrowe@rowe-clan.net>
> wrote:
>>
>>
>> This is worthy of discussion on docs@httpd, so please allow me to cite
>> your example... Your report does suggest that we might illustrate this alias
>> effect more clearly in the docs, e.g. an example like this;
>>
>>   Note that unexpected expansion may occur when trailing slashes
>>   are omitted, including the case of "Alias / /foo". Given the example;
>>     Alias /icons /usr/share/icons
>>   A request for /icons/small.gif is mapped to /usr/share/icons/small.gif
>>   A request for /icons-private/small.gif is mapped to
>> /usr/share/icons-private/small.gif
>>   This behavior is by-design.
>
>
> When did this get mis-stated at
> http://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias, the information
> seems most incorrect...
>
> Alias "/image" "/ftp/pub/image"
>
> A request for http://example.com/image/foo.gif would cause the server to
> return the file /ftp/pub/image/foo.gif. Only complete path segments are
> matched, so the above alias would not match a request for
> http://example.com/imagefoo.gif.
>
>
>



-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message