httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stuart Dallas" <stu...@sharedserver.net>
Subject Re: Improper Variable listings?
Date Tue, 28 May 2002 10:22:19 GMT
Weston Houghton <whoughton@anapraxis.com> wrote:
> I'm wondering if I have found an oddity in httpd. I'm currently
> writing a PHP directory listing system. I am pretty sure that this is
> not a php issue, but I have not been able to test it on a httpd
> install sans php, but it can be seen when requesting an image file,
> which should not invoke the PHP parser.
>
> So here it is, if you try hitting the URL:
> http://www.anapraxis.com/assets/global/en_solutions.gif?element=../../../
>
> Or if you would like to see it on the httpd site:
> http://httpd.apache.org/images/httpd_logo_wide.gif?element=../../
>
> Apache will actually return the directory listing of the assets/
> directory (assuming you have directory listing enabled, otherwise it
> returns the standard forbidden error). It does not seem to matter
> what the actual variable name following the "?" is. However,
> shouldn't apache ignore anything following the "?" as it should
> really just be a part of the query string variables?

Not from where I am. Both URLs above retrieve the images you would expect
them to.

--
Stuart


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message