Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 42595 invoked from network); 11 Mar 2006 01:07:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 11 Mar 2006 01:07:14 -0000 Received: (qmail 99312 invoked by uid 500); 11 Mar 2006 01:07:05 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 99298 invoked by uid 500); 11 Mar 2006 01:07:05 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 99287 invoked by uid 99); 11 Mar 2006 01:07:05 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Mar 2006 17:07:05 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [24.116.0.227] (HELO S1.cableone.net) (24.116.0.227) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Mar 2006 17:07:03 -0800 Received: from [192.168.1.101] (unverified [24.119.251.40]) by S1.cableone.net (CableOne SMTP Service S1) with ESMTP id 49397456 for ; Fri, 10 Mar 2006 18:07:17 -0700 Mime-Version: 1.0 (Apple Message framework v623) In-Reply-To: <20060310222520.8B44873029@linus.area51.conman.org> References: <20060310222520.8B44873029@linus.area51.conman.org> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: John Rodenbiker Date: Fri, 10 Mar 2006 19:06:48 -0600 To: users@httpd.apache.org X-Mailer: Apple Mail (2.623) X-NotAscii: charset=us-ascii; X-IP-stats: Incoming Last 5, First 30, in=9, out=0, spam=0 X-External-IP: 24.119.251.40 X-Abuse-Info: Send abuse complaints to abuse@cableone.net X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Blocking invalid URIs? X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N -- Freedom, Truth, Love, Beauty. John Rodenbiker jrodenbiker@rodenbiker.net On Mar 10, 2006, at 4:25 PM, Sean Conner wrote: > It was thus said that the Great John Rodenbiker once stated: >> >> Is there a way to have httpd drop requests to URIs that don't actually >> exist in my environment? > > It's turned on by default in Apache. In other words, any content > *outside* of the DocumentRoot is not served up, no matter how many > "../" are > thrown at the web server. Don't put anything you don't want seen in > the > DocumentRoot. That's good to know, thank you. The reason I ask is because there is a company trying to sell a "web application firewall" that appears to do just what I asked, except for $9995. Are these guys full of it, or what are they really offering? http://www.webscurity.com/products.htm --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org