httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: Spaces in Win32 executable names
Date Fri, 22 Aug 1997 15:03:49 GMT
Elizabeth Mattijsen wrote:
> 
> At 15:54 8/22/97 +0200, Martin Kraemer wrote:
> >> If it is possible to munge the requested filename before matching, I guess
> >> the best solution would be to:
> >No, because munging is nondeterministic. A specific mangled name can
> >at two points in time be "the short name" for two different long names.
> 
> Yep, you're right.  Yuck.  Hadn't realised that, even though I'm working
> with Win95 for the past 1.5 years already.  Guess I don't see too many
> munged filenames anymore...
> 
> >The connection some-long-name <--> some-short-name is created when the
> >file is created/renamed. But the next time you try it, different
> >outcomings can result.
> 
> Wouldn't it make sense then to indeed only check the requested filename
> with the long filename and not allow any munged filenames as a requested
> filename at all?

This has also been discussed already. The question is how do you know a
filename is munged?

> The munged filenames were only done so that pre-WIn95 programs would still
> be able to access long filenames.  Apache is not such a program, therefore
> it should simply not allow munged filenames at all because of the security
> implications involved.  Is there a good reason for allowing munged
> filenames in requests?

Only that we can't easily tell whether a name is munged or not.

> Anyway, I can think of several methods to bypass security measures if
> munged filenames were allowed in requests: e.g. (probably stating the
> obvious) if someone would have some access to your server and would be able
> to rename a protected directory.  Since munging happens at the moment of a
> create of rename, the new munged filename might not be protected at all...

Ahem. If they have access to your server sufficient to rename
directories, you have severe security problems, anyway. Furthermore,
they can bypass security without reference to name munging if they can
rename.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 994 6435|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 994 6472|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Mime
View raw message