DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10775>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10775 SCRIPT_NAME wrong value ------- Additional Comments From [EMAIL PROTECTED] 2002-08-10 05:20 ------- The normalized value is assigned to r->path_info during the call to ap_directory_walk. ap_directory_walk contains the following comment: /* XXX Notice that this forces path_info to be canonical. That might * not be desired by all apps. ... It would appear that any application that depends on the PATH_INFO from a uri such as 'http://www.plover.com/cgi-bin/myprogram/http://some.other.url/' falls into the category of "an app that does not desire this behavior." But there is still a bug, because ap_find_path_info assumes that the tails of the r->path_info and r->uri will match, and they don't, because the path_info was canonicalized in ap_directory_walk, but the r->uri was not canonicalized. The ap_directory_walk comment cited above continues: ... However, some of those same apps likely * have significant security holes. */ I believe this is referring to apps that might be invoked as http://perl.plover.com/cgi-bin/myapp/../../../../../../../../../etc/passwd. Canonicalizing this path may well save 'myapp' from a severe security problem. However, compressing repeated slashes from the path_info does not appear to have any analogous security benefit. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
