Greg Watson wrote:
webserver cannot find the CSS or images. I noticed you pass just the filename via the URL. Changing this to =/etc/passwd in your browser gives the password file as well. This is a security risk and I'd like to ask if someone knows how to restrict this to only a hard coded directory. Quick-Fix! Change (line location varies depending on version): if ($fil=~/\.\./) { to: if ($fil!~/.*\.(css|gif|jpg|png)$/i) { This will prevent GETs on anything other than those (~safe) file types. |
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
