httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carsten Wiedmann" <carsten_st...@gmx.de>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Sat, 19 Aug 2006 06:37:22 GMT
Joshua Slive schrieb:

> On 8/18/06, Carsten Wiedmann <carsten_sttgt@gmx.de> wrote:
> >
> > I don't complete agree with you... IMHO the basic "problem" is:
> > The "URL-path" in ScriptAlias (like in Alias and Location) is
> > compared case sensitive first, also on Windows. The "normal" URI to
> > path translation (directory-path) not on Windows. That should be
> > better explained in the manual.
>
> Yes, it should be explained that *Alias* are case-sensitive in their
> first argument.

Ok.


> But your diagnosis is not quite correct.  URLs are
> always case sensitive in httpd (and in the HTTP RFC).

That's a good point (IMHO they SHOULD, not MUST). But see below...


> The fact that
> multiple different URLs happen to map to the same filesystem location
> is an artificat of the filesystem, not of the path translation code.
> httpd does handle case-insensitivity correctly in its filesystem code
> (such as the <Directory> block).

Now an other point of view ;-)

Ok, we can see, that httpd makes exactly what the source code says. URI 
comparison is made case-sensitive. And the last step, mapping the URI to a 
file system location, depends on the file system.

(And we know: URI's are not file system locations, only resources...)

But what happens in real life (all steps together)?
On *nix:
- with a directory "$DOCUMENT_ROOT/foo",
  the URI /FOO is not the same as /foo
- with an alias /foo for a directory "foo" inside DocumentRoot,
  the URI /FOO is not the same as /foo
- with an alias /bar for a directory "bar" outside DocumentRoot,
  the URI /BAR is not the same as /bar
- with an alias /bar for a directory "bar" and a subdir "sub"
  outside DocumentRoot, the URI /bar/SUB is not the same as /bar/sub

Now the same for e.g. Windows:
- with a directory "$DOCUMENT_ROOT/foo",
  the URI /FOO is the same as /foo
- with an alias /foo for a directory "foo" inside DocumentRoot,
  the URI /FOO is the same as /foo,
  but sometimes with a different behavior
- with an alias /bar for a directory "bar" outside DocumentRoot,
  the URI /BAR is not the same as /bar
- with an alias /bar for a directory "bar" and a subdir "sub"
  outside DocumentRoot, the URI /bar/SUB is the same as /bar/sub
  (that's really interesting:
   only parts of the abs_path are case-sensitive)

And you think, that's a consistent behavior and according to the RFC 2616 
(3.2.3)? Don't forget. That's not really a problem of the file system. 
Because NTFS for example is not only case-insensitive, it's also 
case-preserving. Thus httpd should know the real case.

You remember this little sentence in the RFC 2616 (15.2)?
| If an HTTP server translates HTTP URIs directly into file system calls,
| the server MUST take special care not to serve files
| that were not intended to be delivered to HTTP clients.


> > > On 8/18/06, Mark J Cox <mark@awe.com> wrote:
> > > > I think the right response here is to make it more explicit in the
> > > > documentation that putting a ScriptAlias cgi-bin inside document
> > > > root is bad.
> > >
> > > Yes, this is a relatively common configuration error.
> > > ...
> > > Instead, you can use:
> > > <example>
> > >    <Directory /usr/local/apache2/htdocs/cgi-dir>
> > >    SetHandler cgi-script
> > >    Options ExecCGI
> > >    </Directory>
> > >  </example>

Why is it really bad to have a ScriptAlias inside the DocumentRoot? It's 
only another file system location. And it's only one line in the config file 
instead of four. You have only a problem because of the "unexpected" 
behavior of httpd with case-insensitive/case-preserved file systems ;-) And 
on Windows, the simplest way to make a consistent behavior with URI's is to 
have a alias match case-insensitive.

BTW:
That's not only a problem with Windows. Don't forget the default file system 
of OS X. HFS+ is also case-insensitive.

Regards,
Carsten



Mime
View raw message