From: "Rodent of Unusual Size" <[EMAIL PROTECTED]> Sent: Wednesday, October 03, 2001 8:54 AM
> "William A. Rowe, Jr." wrote: > > > > [There is a weakness. We need to evaluate the exception > > list by component, right now we simply strcmp. There is > > a note in status to that effect. E.g. requesting index.bak > > -should- match index.html.bak > > Um, no, I definitely think not. I think the portion of > the filename that's specified in the URL should be > considered opaque, and that we can only negociate using > the bits that are tailed on the file names but not the > URL. There are two issues, the list of exceptions (base name and the elements that are _unrecognized_ by mime negotation) and the actual file name accepted. I meant the first issue when I posted this. The first issue I patched last night for 2.0, I'm sure FirstBill will pick up that patch and backport to 1.3. It goes like this... the user requests index.html.old and we have an index.html.old.en file to match. But the exception list contains index and old, since html is a mime type and en is a language. We compared index.old to index.html.old (the exceptions to the request) and would fail! That was badness. The patch ignores the request's .html segment, and simply assures that both index and .old are part of the _requested_ name before it's willing to allow that file to be served. No more serving .bak files without being asked, but it behaves more similarly to the old 1.3 behavior now. The second issue is allowing the request index.old to serve index.html.old, which would work with Francis's patch (abiet with a small change)... I'll answer that in a second post, with the right subject.
