httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pmo...@axa.com.au
Subject Re: Case insensitivity trick
Date Wed, 31 Jan 2001 23:04:54 GMT

a better solution imho is to use a decent editor like Allaires HomeSite and
use it's "built-in" FTP-RDS feature which allows you to set up ftp servers
as if they were local drives and you can open and save to them at will as
if you were using a Windows ftp gui. It closes the connection after the
usual ftp timeout unlike Samba which leaves it open.
Obviously it requires an ftp daemon to be running on the host and the
appropriate access rights for the files you are creating/editing but most
*nixs have an ftp daemon running by default anyway.
Much more secure than Samba and case is not an issue.
peter





Please respond to new-httpd@apache.org

To:   "Marc Perkel" <marc@perkel.com>, new-httpd@apache.org
cc:
Subject:  Re: Case insensitivity trick




There is only one flaw in this solution.  You entirely break conventional
expectations for security.

If you employ the <Location /web/foo/bar> Require user feature, changing
the
case walks around that restriction.  Windows has this same problem.

If you employ the <Directory /web/foo/bar> Require user feature, changing
the case walks around that restriction too.  But Windows -doesn't- suffer
from this same problem.

Win32 builds know that case is insensistive, and normalize the case, but
Unix does not (by default), and won't compare the case correctly.

This is such a huge security issue that I'm very disinclined to publish it
as a 'workaround' for 1.3.

But ... 2.0 is being reworked from the ground up.  Case sensitivity issues
are being migrated out of the server, into the Apache Portability Runtime.
If and when someone hacks in the case-insensitive support for Samba mounts
(and other case-insensitive file systems) this trick will be very, very
legitimate, and in fact sometimes required.

Glad you enjoyed hacking on it, and thanks for sharing the thought!

Bill


----- Original Message -----
From: "Marc Perkel" <marc@perkel.com>
To: <human-response@Apache.Org>
Sent: Thursday, January 11, 2001 1:23 PM
Subject: Case insensitivity trick


> Here's a trick I finally got working. A way to make Apache case
>  insensitive on linux/unix servers. Feel free to pass this on. It seems
> to be working well.
>
>  The problems started when migrating from NT to Linux. As you know NT is
>
> case insensitive, so anything matched. I moved to Linux and had a lot of
>
> problems with "file not found". Even after changing everything to lower
> case, there were still external web sites that linked to me that were in
>
> the wrong case. I had at first came up with some rules to convert all
> requests to lower case to fix that, but now I have a better solution.
>
>  The trick is to use SAMBA.
>
>  Samba is a service that emulates a windows NT server. It normally is
> used to let windows machines to access Linux files pretending to be a
> windows server. One of the features of Samba is that the file system is
> not case sensitive. You can save in and case and it preserves it. But a
> file requests in any case matches.
>
>  Now, before I tell you my solution, I want to piss some people off.
> Windows case insensitivity is superior to the Unix case sensitivity BUG.
>
> Unix is stuck with it, but to have to files with the same name is
> stipid.
>
>  Back to the solution. I have a directory named /www where my web sites
> are stored. I have another directory named /web which is merely a mount
> point. The idea is to mount /www as /web using Samba services. Thus
> files under /web are the same as /www but you no longer have to match
> case to load the web page.
>
>  I created a samba share named web. The "web" share exports the
> directory /www. I made a dummy user "webuser" to have rights to the
> share. I also made the share read-only and restricted access to 127.
> block of IP addresses. Thus it can only be loaded from the localhost.
>
>  Then I mount the share.
>
>  mount -t smbfs -o username=webserv,password=123456 file://localhost/web
/web
>
>
>
>  Thus /www and /web are the same except /web is processed through Samba
> and all your case problems go away. If you want to preserve the old case
>
> rules, you can still access /www. You have the best of both worlds.
>
>  Does it slow you down? Use more processor or resources? Sure, in
> theory. But hell, I'm running on a pentuim iii box in the first place
> and have excess power to start with.
>
>  Anyhow, I beat the system. Pass it on.
>
>
>
>
>







**********************************************************************
Important Note
This email (including any attachments) contains information which is 
confidential and may be subject to legal privilege.  If you are not 
the intended recipient you must not use, distribute or copy this 
email.  If you have received this email in error please notify the 
sender immediately and delete this email. Any views expressed in this 
email are not necessarily the views of AXA.   Thank you.
**********************************************************************

Mime
View raw message