bug in autoindex module
mdounin at mdounin.ru
Thu Dec 31 01:55:31 MSK 2009
On Thu, Dec 31, 2009 at 12:45:18AM +0700, Edho P Arief wrote:
> On Tue, Dec 29, 2009 at 5:20 PM, Edho P Arief <edhoprima at gmail.com> wrote:
> > Don't know if found by someone else, but I find this bug today in
> > autoindex module.
> > Basically, the file/dirname is not escaped properly.
> > To reproduce:
> > - enable autoindex in a directory
> > - create file with name "some<em>thing" in the directory
> > - view the (broken) directory list in web
> it should use ngx_escape_html - I've tried modifying it but I don't
> know enough C to correctly fix it.
I'm currently looking in it, stay tuned.
More information about the nginx