[HECnet] Security hole in CSWS

[Dennis Boone]

It's legal ";-0" too, meaning the oldest version available :)

One is starting to hope that PHP gets _some_ of the filespec stuff
right. :)

But, while I'm willing to believe (at least until I have time to study
it a bit more) that it's PHP which looks to see if it owns the requested
extension, I'm reluctant to believe that Apache hands over full pathname
processing.   That should reduce the size of the problem space a little.

I wonder if case matters...

The rule might better read:

      RewriteRule (.*\.[Pp][Hh][Pp])([;.][0-9-]*)(.*) $1$3

De