httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@nueva.pvt.k12.ca.us>
Subject Re: config/315: <LIMIT> causes two password queries unless given fqdn.
Date Sun, 06 Apr 1997 05:39:03 GMT
On Sat, 5 Apr 1997, Marc Slemko wrote:

> The answer to this (psst... another FAQ?) is probably that Apache is
> issuing a redirect which causes it to be a different server as far as the
> client knows, making it reprompt for the name.
> 
> If the directory /foo/ is protected, is there any reason why a request for
> /foo needs to return a 401?  Would it cause a security hole if it just
> returned the redirect to /foo/ without requiring authentication?  That
> would eliminate this frequent problem; Netscape Commerce 1.1 avoids the
> problem by doing things this way.

I think that would be a security problem (not to mention a bit tricky
given Apache's authentication model), for the same reason we return
401/403 and not 404 when there is an unauthorized request for a
non-existant file: It tells a potentially unwanted visitor something
about a private area of your site, namely that a file doesn't
exist. This means that if you know that the server behaves that way,
you can quickly find out which files *do* exist (they return 401/403
instead of 404). Having Apache return 301 instead of 401/403 would
produce the same problem: it would then be possible to find out if a
directory existed or not, simply by testing its URL sans slash.

In other words, -1

-- 
________________________________________________________________________
Alexei Kosut <akosut@nueva.pvt.k12.ca.us>      The Apache HTTP Server
URL: http://www.nueva.pvt.k12.ca.us/~akosut/   http://www.apache.org/


Mime
View raw message