I can also confirm this mod_access bug: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt
bug is present in lighttpd-1.4.13-9ubuntu4 and fixed in lighttpd-1.4.13-9ubuntu4.1 (version created after applying debdiff). To test I edited this line in /etc/lighttpd/lighttpd.conf: url.access-deny = ( "~", ".inc", ".txt" ) I created a simple test.txt file in /var/www/ and could not access it using either http://hostname/test.txt or http://hostname/test.txt/. I just wanted to comment on my testing methods in case anyone's interested. -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
