httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@attglobal.net>
Subject Re: [1.3 PATCH/QUESTION] Win32 ap_os_is_filename_valid()
Date Thu, 14 Mar 2002 03:47:39 GMT
Here is an update to my previous statement based on comments from Roy
and Bill.  (And Roy, I'm going to get my butt flamed anyway.)  I'd
like to stick it at the end of "Using Apache With Microsoft Windows"
(http://httpd.apache.org/docs/windows.html), unless somebody can think
of a better place.

Names of file-based resources with Apache 1.3 on Win32

Apache 1.3 on Win32 assumes that the names of files served are comprised 
solely of characters from character sets which are a superset of ASCII,
such as UTF-8 or ISO-8859-1.  It has no logic to determine whether or not 
a possible file name contains invalid characters.  It has no logic to 
properly match actual non-ASCII file names with names specified in the 
Apache configuration file.  Because Apache does not verify that the 
characters in file names are all from a valid character set, files
containing various invalid characters in their names can be successfully 
served by Apache.  However, this is not recommended for the following 
reasons:

1) Because Apache is unable to properly match actual non-ASCII file names
   with names in the Apache configuration file, taking into account any
   case folding or other transformations handled by the operating system
   when looking up files or otherwise matching file names, directives in
   the Apache configuration file may or may not be in force, depending
   on how the HTTP client specifies the resource.  This may be a security
   concern, depending on your configuration.

2) Because Apache assumes that file names are from a character set which is
   a superset of ASCII, some of the checks it makes when validating file 
   names will flag certain non-ASCII characters as invalid.  For example, 
   Apache on Win32 will flag a file name containing the ASCII character '|'
   (0x7C) as invalid.  This logic will flag any file name containing the 
   byte 0x7C as invalid, even if that byte does not represent '|' in the 
   local character set.  There are other characters checked for as well.  
   Because of these checks, even if there are no security issues in your 
   configuration, many Unicode characters or other wide characters cannot 
   be used.

Because of the lack of proper support for non-ASCII characters in file
names, it is recommended that administrators not attempt to use any
non-ASCII characters in file names.  Any other configuration is 
unsupported.

Apache 2.0 introduces the UTF-8 convention to access any filenames and
resources in a predictable and safe manner.  The implementation of this
feature is too extensive to consider backporting to Apache 1.3.

-- 
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...

Mime
View raw message