#2 Security patch 2 for Pi3Web 2.0 beta 2


There's a problem with Pi3Web 2.0 CGI handler for physical paths, which are
exactly MAX_PATH (260) bytes long. The problem does exist due to a specific
behaviour of the Windows API, which isn't handled correctly by the server.

The problem is limited to Pi3Web 2.0 on Win32 only. Linux or Solaris aren't
affected. Older versions of Pi3Web aren't affected.

The patch is also available in the download area. The patch no. 1 may be applied
but isn't required. If patch no. 1 was applied it is recommended to apply also this

Extract the archive and replace the DLL's in Pi3Web/bin. Restart the server.

A configuration based workaround for this problem is also possible by addition
of the following line in object Scripts, e.g. in Pi3Web/Conf/Config.pi3:

Name Scripts
Class FlexibleHandlerClass
Condition "&cmp(&dblookup(response,string,ObjectMap),Scripts)"
# line added to check for script names ending on '.'
CheckPath Condition="&regexp(*.,$z)" StatusCode StatusCode="404"


  • Holger Zimmermann

    Logged In: YES

    Don't apply the patch to the beta 2 anymore but upgrade to the 2.00 release distribution instead.

  • Holger Zimmermann

    • status: open --> closed-fixed

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks