DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395 [PATCH] don't normalize away /foo/.. for files as foo may be a symlink ------- Additional Comments From [EMAIL PROTECTED] 2003-07-08 17:29 ------- I'd say that normalizing is inherently more secure than not normalizing. Since we (as in "the IT industry") have had multiple security breaches due to unnormalized paths, but very few (if any) due to normalized ones. I think that's why most servlet engines (all I've tried at least) will normalize the request URL for you. Therefore: Normalize is (more) correct. If this can be solved with a pluggable URLAbsolutizer then that's the way to go, I think. Default == normalize. Tweak == non-normalizing. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
