httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Weston Houghton <whough...@anapraxis.com>
Subject Improper Variable listings?
Date Mon, 27 May 2002 17:43:22 GMT

Hello...

I'm wondering if I have found an oddity in httpd. I'm currently writing a
PHP directory listing system. I am pretty sure that this is not a php issue,
but I have not been able to test it on a httpd install sans php, but it can
be seen when requesting an image file, which should not invoke the PHP
parser.

So here it is, if you try hitting the URL:
http://www.anapraxis.com/assets/global/en_solutions.gif?element=../../../

Or if you would like to see it on the httpd site:
http://httpd.apache.org/images/httpd_logo_wide.gif?element=../../

Apache will actually return the directory listing of the assets/ directory
(assuming you have directory listing enabled, otherwise it returns the
standard forbidden error). It does not seem to matter what the actual
variable name following the "?" is. However, shouldn't apache ignore
anything following the "?" as it should really just be a part of the query
string variables?

Thanks,
Wes Houghton


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message