httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: Case insensitivity trick
Date Wed, 31 Jan 2001 18:47:50 GMT
There is only one flaw in this solution.  You entirely break conventional
expectations for security.

If you employ the <Location /web/foo/bar> Require user feature, changing the
case walks around that restriction.  Windows has this same problem.

If you employ the <Directory /web/foo/bar> Require user feature, changing
the case walks around that restriction too.  But Windows -doesn't- suffer
from this same problem.

Win32 builds know that case is insensistive, and normalize the case, but
Unix does not (by default), and won't compare the case correctly.

This is such a huge security issue that I'm very disinclined to publish it
as a 'workaround' for 1.3.

But ... 2.0 is being reworked from the ground up.  Case sensitivity issues
are being migrated out of the server, into the Apache Portability Runtime.
If and when someone hacks in the case-insensitive support for Samba mounts
(and other case-insensitive file systems) this trick will be very, very
legitimate, and in fact sometimes required.

Glad you enjoyed hacking on it, and thanks for sharing the thought!


----- Original Message ----- 
From: "Marc Perkel" <>
To: <human-response@Apache.Org>
Sent: Thursday, January 11, 2001 1:23 PM
Subject: Case insensitivity trick

> Here's a trick I finally got working. A way to make Apache case
>  insensitive on linux/unix servers. Feel free to pass this on. It seems
> to be working well.
>  The problems started when migrating from NT to Linux. As you know NT is
> case insensitive, so anything matched. I moved to Linux and had a lot of
> problems with "file not found". Even after changing everything to lower
> case, there were still external web sites that linked to me that were in
> the wrong case. I had at first came up with some rules to convert all
> requests to lower case to fix that, but now I have a better solution.
>  The trick is to use SAMBA.
>  Samba is a service that emulates a windows NT server. It normally is
> used to let windows machines to access Linux files pretending to be a
> windows server. One of the features of Samba is that the file system is
> not case sensitive. You can save in and case and it preserves it. But a
> file requests in any case matches.
>  Now, before I tell you my solution, I want to piss some people off.
> Windows case insensitivity is superior to the Unix case sensitivity BUG.
> Unix is stuck with it, but to have to files with the same name is
> stipid.
>  Back to the solution. I have a directory named /www where my web sites
> are stored. I have another directory named /web which is merely a mount
> point. The idea is to mount /www as /web using Samba services. Thus
> files under /web are the same as /www but you no longer have to match
> case to load the web page.
>  I created a samba share named web. The "web" share exports the
> directory /www. I made a dummy user "webuser" to have rights to the
> share. I also made the share read-only and restricted access to 127.
> block of IP addresses. Thus it can only be loaded from the localhost.
>  Then I mount the share.
>  mount -t smbfs -o username=webserv,password=123456 file://localhost/web /web
>  Thus /www and /web are the same except /web is processed through Samba
> and all your case problems go away. If you want to preserve the old case
> rules, you can still access /www. You have the best of both worlds.
>  Does it slow you down? Use more processor or resources? Sure, in
> theory. But hell, I'm running on a pentuim iii box in the first place
> and have excess power to start with.
>  Anyhow, I beat the system. Pass it on.

View raw message