You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@organic.com> on 1996/11/27 19:57:09 UTC
security hole redux
I will veto any release of Apache 1.2 with the security hole I mentioned
earlier this week. Can someone familiar with content negotiation and mod_dir
please look into this issue? My guess is that mod_dir is specified as a
handler for */*, and when mod_negotiation declines the request by finding no
acceptable variant, mod_dir kicks in. But I don't really know that stretch of
code. I will try to look into it today, but I'm way behind on the
learning curve.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS
Re: security hole redux
Posted by Dean Gaudet <dg...@hotwired.com>.
It would seem prudent to add a feature to mod_dir that makes it require
a particular file (say .htautoindex) to exist in a directory before it
will generate an index. How many times have we run into problems where
mod_dir can be coaxed into giving out the directory listing?
Dean
In article <ho...@eat.organic.com>,
Brian Behlendorf <ne...@hyperreal.com> wrote:
>
>I will veto any release of Apache 1.2 with the security hole I mentioned
>earlier this week. Can someone familiar with content negotiation and mod_dir
>please look into this issue? My guess is that mod_dir is specified as a
>handler for */*, and when mod_negotiation declines the request by finding no
>acceptable variant, mod_dir kicks in. But I don't really know that stretch of
>code. I will try to look into it today, but I'm way behind on the
>learning curve.
>
> Brian
>
>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS
>