httpd-test-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@covalent.net>
Subject Re: [franklin_tech_bulletins@yahoo.com: IBM AS/400 HTTP Server '/' attack]
Date Fri, 09 Nov 2001 20:32:53 GMT
From: "Roy T. Fielding" <fielding@ebuilt.com>
Sent: Friday, November 09, 2001 2:19 PM


> > Since SSI is another beast, it accepts path_info and serves the
> > page.
> 
> Yes, though I wish I could find a way to prevent if from doing so
> if it did not expect path_info.

I've been thinking the same thing... same with CGI.  It would be great if there
were a way to 'consume' path_info or else 404.  No trivial solution that I
could come up with.

> > etc.  A possible convention, against the core handler, would be an
> > external redirect back to /index.html to keep all that cruft away.
> 
> No, those should be 404 unless .html is SSI.

As an option, as opposed to a dictate?  Could even provide that shtml's could
leave that unset if they don't intend to use path_info.

> > CGI authors have to deal with this issue in whatever way is appropriate,
> > if they use path_info at all.
> 
> Likewise for JSP.

And every other scripting techology ;)


Mime
View raw message