httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Preventing Path Traversal Attack
Date Mon, 08 Dec 2014 15:51:28 GMT
On Mon, Dec 8, 2014 at 4:30 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>> I need to compare against an unparsed URI because r->uri is vulnerable to a
>> path traversal attack. For instance, this:
>> http://abc.me/unprotected_path/../protected_path
>> becomes:
>> http://abc.me/protected_path
>
> I don't see how http://abc.me/unprotected_path/../protected_path is
> more a path traversal than accessing http://abc.me/protected_path
> directly.
> Either /protected_path is accessible, or it isn't. Am I missing something?

Note that dot-slashes are stripped from r->uri so that it can be
matched against configuration's paths/files (Location, Directory,
Files, ... ) without them being abused (precisely).

>
> Regards,
> Yann.

Mime
View raw message