Re: special characters (HTTP)

[Peter Tonoli <anarchie () SUBURBIA NET>]

On Sun, 6 Aug 2000, Bluefish wrote:

> I believe most mayor httpds (apache, IIS etc) has delt with this problem
> long ago. However, some less wellknown httpd-softwares have had serious
> problems with this (checking that URL doesn't contain ".." BEFORE
> converting special characters)

Err, shouldn't this be *after* converting special chars? What if the
converted characters are '..' or similar - I seem to remember a
vulnerability involving this (can't remember what http server
however!). :)

Peter