"Roy T. Fielding" wrote: > > Your patch will simply let the %2F through, but then a later section > of code will translate them to / and we've opened a security hole > in the main server.
have we? can it be exploited by anything not server-side? i don't see how. > I'd rather move the rejection code to the place where a > decision has to be made (like the directory walk) so would i, but i haven't managed it yet. i see still using this directive even in that case, except that it will become or_fileinfo instead of rsrc_conf and will be able to be specified at finer granularity (such as <files>). in the meantime, this is a real-world problem. i'm proposing an extensible solution to address it, with a default of 'off' and documentation saying 'if you turn this on your scripts had better be good, here's why.' -- #ken P-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ "Millennium hand and shrimp!"
