httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: notes on 1.1b4 authorization and table_set() function calls. (fwd)
Date Mon, 24 Jun 1996 23:31:04 GMT
On Mon, 24 Jun 1996, Vivek Khera wrote:


> I haven't looked into the complexity of this just yet, but it would seem to me
> it makes more sense to test for the existence of the file *before* testing for
> authorization of access to the file.  I'm sure people who rely heavily on
> authorization would agree, too.  This would greatly reduce the number of hits
> on the authorization database for access to a file that doesn't exist.

It might seem to make sense, indeed, it would, as you say, reduce load on
the authorization database. However, it would be a security hole: If the
server returned a Not Found error prior to returning an Authentication
Required error, a potential hacker might be able to get a map of all the
filenames on the server, without actually having access to the server, by
noting when the server returned Not Found, versus when it asked for

Apache, when finding directory indexes internally, uses the exact same
mechanism that it uses when a file is requested by a user, except that it
does not actually serve the file. Since this request includes the
authentication stage, it is therefore neccessary to check authorization
for each index file checked.

> Secondly, I notice that at many places you call table_set() with the third
> parameter as pstrdup(...) when table_set() does that for you already.  Not a
> big deal as the space will be reclaimed rather quickly, but it does seem to be
> an expensive operation to do given that it will just be pstrdup()'d again
> immediately.

pstrdup() is not a particuarly expensive operation, due to the way
Apache's memory-pool allocation code works (not nearly as much as it would
be for the corresponding malloc() and strcpy()), but you are correct,
there is a lot of this sort of thing. Probably the best explanation is
that it makes people feel safer, knowing for sure that their strings.
won't be mangled.

Perhaps in a future version of Apache, we will clean up this sort of
thing. It might not be a bad idea.

> Thanks for your attention.

Thanks for using Apache!

-- Alexei Kosut <>            The Apache HTTP Server

View raw message