You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by David Robinson <dr...@ast.cam.ac.uk> on 1995/11/03 10:37:00 UTC

double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux)

>The bug here seems to be that the Alias command and its (effective) variants
>can be foxed by giving them URIs with doubled slashes, which then fail to
>match.  In particular, if the target directory of a ScriptAlias command is
>actually, say, the cgi-bin subdirectory of DocumentRoot, this can be used
>to disable the effects of ScriptAlias.  Here is a patch against *0.8.16*
>which appears to cure the problem:

Hmm, I'm not sure this is the best solution; can we guarantee that
this won't crop up in other modules?

The problem is the original completely bogus no2slash(); there is no
reason why http://host/dira//dirb/file should be the same as
http://host/dira/dirb/file.'

We already don't remove double slashes for CGI script PATH_INFO; I suggest
that we don't remove double slashes anywhere.

So:
1. Remove no2slash()
2. In directory walk (or wherever we match the URL to a file) _reject_
   a filename with a void path segment.

 David.