httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <ch...@telebase.com>
Subject apache proxy cache (fwd)
Date Thu, 03 Oct 1996 21:45:30 GMT
Thanks for pointing this out, Kyle. The proxy caching strategy is currently
changing, and this sort of behavior is being addresssed in the 1.2 Apache
proxy now under construction.

Rob Hartill liltingly intones:
> From owner-new-httpd@hyperreal.com Thu Oct  3 14:32:01 1996
> Message-Id: <199610031816.TAA26081>
> Subject: apache proxy cache (fwd)
> To: apache <new-httpd@mail.apache.org>
> Date: Thu, 3 Oct 1996 19:16:49 +0100 (BST)
> From: Rob Hartill <robh@imdb.com>
> Organization: Internet Movie Database
> X-pgp-public-key: http://us.imdb.com/pgp.html
> X-Mailer: ELM [version 2.4 PL24 ME8a]
> Content-Type: text
> Sender: owner-new-httpd@hyperreal.com
> Precedence: bulk
> Reply-To: new-httpd@hyperreal.com
> 
> 
> not acked
> 
> ----- Forwarded message from Kyle McCrindle -----
> 
> Message-ID: <32542679.13CC@nettestca.gn.com>
> Date: Thu, 03 Oct 1996 13:47:53 -0700
> From: Kyle McCrindle <kyle@nettestca.gn.com>
> Reply-To: kyle@nettestca.gn.com
> Organization: GN Nettest (Canada), Inc.
> X-Mailer: Mozilla 3.0Gold (Win16; I)
> MIME-Version: 1.0
> To: apache-bugs@mail.apache.org
> Subject: apache proxy cache
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> I have noticed a security misgiving in apache's proxy cache of ftp
> servers.
> 
> The directory, /usr/local/lib/httpd.proxy/cache/ftp, is naturally a
> top-level list of all cached sites.  A problem arises if an ftp URL is
> used to access a password protected site (ie. through a browser).  A url
> of good form would be:
> 
> 	ftp://user:password@ftp.private.data.com/
> 
> Firstly, this represents personal space (home directory on unix) and
> should not be cached (is it?).  Secondly, a cache directory is created
> and called:
> 	/usr/.../cache/ftp/user:password@ftp.private.data.com
> 
> Clearly, the password is visible as part of the directory name.
> 
> I am not familiar with apache httpd or the dynamics of other httpd
> servers, but is this intended, appropriate, documented, configurable?
> 
> 		-- Kyle McCrindle
> 
> -- 
> Kyle McCrindle                       internet: kyle@nettestca.gn.com
> GN Nettest (Navtel Division)         voice: 905-479-8090
> R&D Software Engineer                fax: 905-475-6524
> =======================================================================
> 
> 
> ----- End of forwarded message from Kyle McCrindle -----
> 
> -- 
> Rob Hartill (robh@imdb.com)    
> http://www.imdb.com/  ... why wait for a clear night to see the stars?.
> 

chuck
Chuck Murcko	N2K Inc.	Wayne PA	chuck@telebase.com
And now, on a lighter note:
"I am ready to meet my Maker.  Whether my Maker is prepared for the
great ordeal of meeting me is another matter."
		-- Winston Churchill

Mime
View raw message