www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From si...@ugive.com
Subject Re: mod_cgi/543: "%2F" not allowed in VGI script PATH_INFO
Date Wed, 04 Oct 2000 18:00:02 GMT
The following reply was made to PR mod_cgi/543; it has been noted by GNATS.

From: sinck@ugive.com
To: apbugs@apache.org
Cc:  
Subject: Re: mod_cgi/543: "%2F" not allowed in VGI script PATH_INFO
Date: Wed, 4 Oct 2000 10:50:43 -0700

 I ran into this with one of the typical offending URLs.  My problem is
 that the script isn't even on my site.  My 404 Error Document/script isn't
 being called.
 
 eg:
 
 http://127.0.0.1/blahblah%2f
 
 Throws a vanilla 404 page rather than the custom 404 Handler (that
 works).
 
 Should the 404 handler: 
 
        ErrorDocument 404 /perl/wtf.cgi
 
 care that the lamer threw a %2f in the url?  I don't think so, at
 least initially.
 
 I think the security isn't immediately compromised by letting the
 custom 404 fire, since the standard places for the variables
 (QUERY_STRING, PATH_INFO, etc) aren't in the 'normal' places.  The 404
 writer would have to deliberately be stupid.
 
 Not that that doesn't happen, of course.
 
 Thanks for your attention.
 
 David Sinck

Mime
View raw message