Re: ".svn" directory name no good (in fact, it is worse than I thought)

From: Colin Watson <cjwatson_at_flatline.org.uk>
Date: 2003-09-25 10:58:50 CEST

On Thu, Sep 25, 2003 at 12:53:12AM -0700, Shawn wrote:
> That was the original code in NT4 ... but when they put Unicode in win
> 2000 they forgot about the 15 other ways you can get a "." including the
> URL encoded versions ... %36 (or whatever the character code is) and
> boom you have nice security hole that Code Red (and its 100 variants)
> exploited :)

Doing Unicode- and URL-decoding first before security checks doesn't
equate to "a lot of time and $$$" either. It's trivial, unless IIS is
even more of a ghastly unmaintainable hack than I can imagine (and that
would take some doing). Fixing it to be less
throw-the-baby-out-with-the-bathwater would be equally trivial.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Thu Sep 25 11:00:22 2003

This message: [ Message body ]
Next message: Michael Wood: "Re: cvs2svn - Bug 1440 (cvs2svn fails with AttributeError: 'NoneType' object has no attribute 'get')"
Previous message: Michael Wood: "Re: cvs2svn - Bug 1440 (cvs2svn fails with AttributeError: 'NoneType' object has no attribute 'get')"
In reply to: Shawn: "RE: ".svn" directory name no good (in fact, it is worse than I thought)"
Next in thread: Sander Striker: "RE: ".svn" directory name no good (in fact, it is worse than I thought)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]