>>>>> "Denys" == Denys Vlasenko <[EMAIL PROTECTED]> writes:
>> Actually, thinking about it a bit more - This cannot happen as the >> strcmp() wouldn't match. Denys> There is no code which ensures that ':' exists *in config file*. Denys> It seems like there is no code to ensure that leading '/' is there too. Denys> Find this comment: Denys> //TODO: we do not test for leading "/"?? Denys> //also, do we leak cur if BASIC_AUTH is off? >> Notice that we could use 'p' here instead of >> 'request' and the result would be the same. Denys> Thus p can very well be lacking ':'. Ok, but then it's a configuration problem, rather than a remote security issue - Not to say, that we shouldn't be more robust when we parse the conf gile. -- Bye, Peter Korsgaard _______________________________________________ busybox mailing list [email protected] http://busybox.net/cgi-bin/mailman/listinfo/busybox
