httpd: prevent access to config file and authenticated URLs - busybox-w32 - A mirror of https://github.com/rmyorston/busybox-w32.git

diff options

author	Ron Yorston <rmy@pobox.com>	2020-04-08 08:42:06 +0100
committer	Ron Yorston <rmy@pobox.com>	2020-04-08 08:42:06 +0100
commit	e9715893fdd30b6de367b3e0f0d9e3c362ec8889 (patch)
tree	a4b80ca4ebe0b152ef842b78efd406c5a492d888 /docs
parent	1e97d7904bddd3d43368883fa879279679964ee9 (diff)
download	busybox-w32-e9715893fdd30b6de367b3e0f0d9e3c362ec8889.tar.gz busybox-w32-e9715893fdd30b6de367b3e0f0d9e3c362ec8889.tar.bz2 busybox-w32-e9715893fdd30b6de367b3e0f0d9e3c362ec8889.zip

httpd: prevent access to config file and authenticated URLs

Filesystems on Microsoft Windows are usually case-insensitive. This allows clients to circumvent security by requesting URLs with changes in case that aren't anticipated by the server: http://example.com/Httpd.conf vs http://example.com/httpd.conf http://example.com/SeCuReDir vs http://example.com/SecureDir Use case-insensitive comparisons to avoid this.

Diffstat (limited to 'docs')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: