httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Uniqueness, or security and <Location> revisited
Date Sun, 15 Oct 2000 20:50:13 GMT
Roy,

  I'm starting the overhaul of canonical name.  Everyone knows what
it's for, and noone agrees on what it does.  OS2 full paths, Unix
does nothing, Win32 just cleans it up.

  You have stated (and I agree) that if security matters to the website
administrator, the filename should be resolved in the same case as on 
the file system.  If it doesn't match, redirect (this blows monkey 
chunks for anything but GET operations, however.)

  If we take that for gospel, I really have to disagree with the current
handling of multiple slashes.  We gleefully accept the URL /test//this/p.html
and go right on humming, but coax the // into / for your basic <Location>
parsing.  I'm arguing that this makes no more sense than your adamant stance
against accepting the wrong case on file systems that simply -don't care-.
The same goes for paths like /./test/this/p.html, which is equally well
resolved.  

  I'm bugging the list on this because we can't persist the way we have, and
need to get this right for 2.0 so we can blow the warning statements away.
This is the single weakest link in the system.  If locations will ever work
correctly on any platform, you are right on, we must accept that a file path
should have one and only one possible resolution (never minding Multiviews,
which could also be fixed with a redirect.)

  What's your position on these (assuming entirely lower case real names):

/test//this/thing.p redirects to /test/this/thing.p
/./test/this/thing.p also redirects to /test/this/thing.p
/Test/This/Thing.p redirects to /test/this/thing.p

  This should affect the file system only, it will be up to other modules to
observe the proper security precautions for their namespace.  I want to get
this right from the getgo on 2.0b1 since we already have a dozen reports to
the list, bugs, newsgroups etc of people who don't understand the changes to
the regex RedirectMatch syntax.

  How do you all feel about this?

Bill

Mime
View raw message