On Mon, May 4, 2015 at 9:20 PM, William A Rowe Jr wrote:
> On Mon, May 4, 2015 at 6:01 AM, Yann Ylavic wrote:
>>
>> On Fri, May 1, 2015 at 9:01 PM, Jim Riggs wrote:
>> >
>> > I may go ahead and write up a patch this weekend to change them all
>> > (*Match and RewriteRule) and then we can all deb
On Mon, May 4, 2015 at 6:01 AM, Yann Ylavic wrote:
> On Fri, May 1, 2015 at 9:01 PM, Jim Riggs wrote:
> >
> > I may go ahead and write up a patch this weekend to change them all
> (*Match and RewriteRule) and then we can all debate it over on bugz too!
>
> ap_getparents() may be the right place
* Jim Riggs wrote:
> > On 1 May 2015, at 10:52, André Malo wrote:
> >
> > * Niklas Edmundsson wrote:
> >> On Thu, 30 Apr 2015, Yann Ylavic wrote:
> >>> On Thu, Apr 30, 2015 at 2:57 PM, Jim Riggs
> >
> > wrote:
> Thanks, Yann. I remember looking at this code before. The question
> remai
On Fri, May 1, 2015 at 9:01 PM, Jim Riggs wrote:
>
> I may go ahead and write up a patch this weekend to change them all (*Match
> and RewriteRule) and then we can all debate it over on bugz too!
ap_getparents() may be the right place to strip
(non-leading-)double-slashes, for any code using r->
> On 1 May 2015, at 10:52, André Malo wrote:
>
> * Niklas Edmundsson wrote:
>
>> On Thu, 30 Apr 2015, Yann Ylavic wrote:
>>> On Thu, Apr 30, 2015 at 2:57 PM, Jim Riggs
> wrote:
Thanks, Yann. I remember looking at this code before. The question
remains, though: Is it currently "wrong"
* Niklas Edmundsson wrote:
> On Thu, 30 Apr 2015, Yann Ylavic wrote:
> > On Thu, Apr 30, 2015 at 2:57 PM, Jim Riggs
wrote:
> >> Thanks, Yann. I remember looking at this code before. The question
> >> remains, though: Is it currently "wrong"? Does it need to be "fixed",
> >> or was this distincti
On Thu, 30 Apr 2015, Yann Ylavic wrote:
On Thu, Apr 30, 2015 at 2:57 PM, Jim Riggs wrote:
Thanks, Yann. I remember looking at this code before. The question remains, though: Is it
currently "wrong"?
Does it need to be "fixed", or was this distinction made intentionally?
Is there a specific u
+1
By unbreaking configurations we are indeed changing behavior. This could
be an unexpected change for an admin during a minor upgrade but I weigh
that against the fact that directives enclosed by these matches may be
intended to add security/authorization/authentication which a badly
written link
On Thu, Apr 30, 2015 at 2:57 PM, Jim Riggs wrote:
>
> Thanks, Yann. I remember looking at this code before. The question remains,
> though: Is it currently "wrong"?
> Does it need to be "fixed", or was this distinction made intentionally?
> Is there a specific use case that requires the regex-mat
> On 28 Apr 2015, at 17:55, Yann Ylavic wrote:
>
> It seems that while is compared to ap_no2slash(r->uri),
> is matched against r->uri directly.
> That's probably the "issue".
>
> A possible fix (untested) could be:
>
> Index: server/request.c
> ===
It seems that while is compared to ap_no2slash(r->uri),
is matched against r->uri directly.
That's probably the "issue".
A possible fix (untested) could be:
Index: server/request.c
===
--- server/request.c(revision 1674695)
+++
* Jim Riggs wrote:
> This came up at ApacheCon a couple of weeks ago. I just took this knowledge
> for granted, as I have always accounted for it, but both Rich and Trawick
> were surprised. As I thought about it some more, it seems this may be a
> POLA violation. Thoughts? If we agree it should b
This came up at ApacheCon a couple of weeks ago. I just took this knowledge for
granted, as I have always accounted for it, but both Rich and Trawick were
surprised. As I thought about it some more, it seems this may be a POLA
violation. Thoughts? If we agree it should be fixed, I can make the b
13 matches
Mail list logo