On Mon, 2 Jan 2006, Aurelien Foret wrote:
As far as I can see, the rfc1738_do_escape patch fixes some stuffs in the ftp_basehref patch itself, rather than flaws in squid 2.5.STABLE10. As a consequence, I wonder if the latter patch has introduced the vulnerability or if it was existing anyway.
Seems right to me. But I have not tested 2.5.STABLE10 explicitly to verify.
Regards Henrik
