> Hi Charles > > there is a *=* case which resets the parameter list in sh-httpd, it > disables constructs like > > foo=bar&baz=foo > > I guess parameters without a value would pass fine
Thanks for the detail...I'll see if I can remember why this was specifically added when reviewing the code (hopefully sometime in the near future). I do remember I was pretty aggressive on what was *NOT* allowed to be passed as a parameter, to prevent various exploits possible via shell-expansion of the cgi command and parameters (ie url's like http://www.weblet.firewall/cgi-bin/viewlogs&messages;rm+-rf+/ ) Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
