Lighttpd

If a / is appended to a URL, lighttpd incorrectly serves the original URL.

i.e. a request for

http://www.ahost.com/graphics/image.jpg/

will result in lighty serving the file at

http://www.ahost.com/graphics/image.jpg

This breaks access-deny settings! For instance, if I have configured lighty to deny hot-linked .jpg's like this:

$HTTPreferer !~ "^($|http://www.ahost.com)" {
url.access-deny = ( ".jpg" )
}

Then the hot-linked request for "http://www.ahost.com/graphics/image.jpg" will be denied...

But the hot-linked request for "http://www.ahost.com/graphics/image.jpg/" will be served and the access-deny setting will not be obeyed. This means that any hot-linker can get around my access-deny settings by appending the "/" to the file he wants to hot-link.

The solution is for lighty to not serve up the original file when a request for that file with an appened "/" is made.

-- jay