httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: [1.3 PATCH/QUESTION] Win32 ap_os_is_filename_valid()
Date Wed, 13 Mar 2002 19:12:18 GMT
Jeff Trawick <> writes:

> This function is checking for several characters which, at least in
> ASCII, are supposedly not valid characters for filenames.  But some of
> these same characters can appear in valid non-ASCII filenames, and the
> logic to check for these characters breaks Apache's ability to serve
> those files.
> A user reported the inability to request a file with the Chinese
> character %b5%7c in the name.  The %7c byte tripped up the check for
> invalid ASCII characters.

I think this is an accurate statement regarding the use of non-ASCII
characters in filenames with Apache 1.3 on Win32.  Comments?

-------------------cut here------------------
Names of file-based resources with Apache 1.3 on Win32

Apache 1.3 on Win32 assumes that the names of files served are comprised 
solely of characters from the US-ASCII character set.  It has no logic to
determine whether or not a possible file name contains invalid non-ASCII
characters.  It has no logic to properly match actual non-ASCII file names 
with names specified in the Apache configuration file.  Because Apache
does not verify that the characters in file names are all ASCII, files
files containing various non-ASCII characters in their names can be 
successfully served by Apache.  However, this is not recommended for the
following reasons:

1) Because Apache is unable to properly match actual non-ASCII file names
   with names in the Apache configuration file, taking into account any
   case folding or other transformations handled by the operating system
   when looking up files or otherwise matching file names, directives in
   the Apache configuration file may or may not be in force, depending
   on how the HTTP client specifies the resource.  This may be a security
   concern, depending on your configuration.

2) Because Apache assumes that file names are ASCII, some of the checks
   it makes when validating file names will flag certain non-ASCII
   characters as invalid.  For example, Apache on Win32 will flag a file
   name containing the ASCII character '|' (0x7C) as invalid.  This logic
   will flag any file name containing the byte 0x7C as invalid, even if
   that byte does not represent '|' in the local character set.  There 
   are other characters checked for as well.  Because of these checks,
   even if there are no security issues in your configuration, the full
   range of local characters cannot be used.

Because of the lack of proper support for non-ASCII characters in file
names, it is recommended that administrators not attempt to use any
non-ASCII characters in file names.  Any other configuration is 
------------------cut here----------------
Jeff Trawick |
Born in Roswell... married an alien...

View raw message