DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20284>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20284 SECURITY: mod_spelling allows null default basename Summary: SECURITY: mod_spelling allows null default basename Product: Apache httpd-1.3 Version: 1.3.24 Platform: All OS/Version: Linux Status: NEW Severity: Critical Priority: Other Component: Other mods AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] There is a very simply way to be able to see the name of the .htaccess file if CheckSpelling is turned on. Or any other file that starts with a ".". You will be able to get a list of all of the dot files in a directory, even if indexing is turned off. And if the file is readable, you will also be able to click on the link and read it. Just use any URL that starts with a ".". such as "http://www.blah.com/.asp"; It will look at everything before the dot. Since the basename is null, it will look at all files starting with ".". This is, to me, unacceptable behavior. It should not attempt autocompletion on a null basename. I know that there are other issues but anything that provides a list of files that are intentionally hidden is not correct behavior, IMO. Thanks for your time. Please let me know if this is a known issue, if it's not an issue at all, or what is being done to resolve it. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
