On Mon, Dec 8, 2014 at 4:30 PM, Yann Ylavic <ylavic....@gmail.com> wrote: >> I need to compare against an unparsed URI because r->uri is vulnerable to a >> path traversal attack. For instance, this: >> http://abc.me/unprotected_path/../protected_path >> becomes: >> http://abc.me/protected_path > > I don't see how http://abc.me/unprotected_path/../protected_path is > more a path traversal than accessing http://abc.me/protected_path > directly. > Either /protected_path is accessible, or it isn't. Am I missing something?
Note that dot-slashes are stripped from r->uri so that it can be matched against configuration's paths/files (Location, Directory, Files, ... ) without them being abused (precisely). > > Regards, > Yann.
