Michael Peters wrote: > Randal L. Schwartz wrote: > >>>>>>>"Alex" == Alex Solovey <[EMAIL PROTECTED]> writes: >> >>Alex> The problem is due to unescaped variable interpolation in regular >>Alex> expression $uri =~ /$path_info$/ in sub namespace_from: >> >>I don't want to raise too many alarms, but this means that every MP1 server >>has a denial-of-service attack against it now. > > > Not quite. It only affects people running PerlRun. Not insignificant, but > definitely not everyone.
fwiw, I am unable to reproduce this in either mp1 or mp2 using what I consider a basic setup. this does not mean that I don't agree with the assessments thus far. but one thing it does mean, though, is that we can't be sure we have a fix in place if we are unable to verify before and after scenarios. so, I could use some help here. if anyone is able to reproduce it please email me PRIVATELY with o relevant httpd.conf o sample script again, watch your reply-all button - no need to expose things to the world and forever in google at the moment :) alternatively, anyone with an interest can join #mp-security on irc.pobox.com (irc.perl.org) so we can get this resolved quickly. --Geoff
