Joshua Slive schrieb:
> On 8/19/06, Carsten Wiedmann <carsten_sttgt@gmx.de> wrote:
>
> [I don't agree with large chunks of what you wrote, but the crux of
> the matter is here:]
That's ok :-)
BTW:
Nobody else has an opinion to this discussion? Perhaps all are in the
weekend vacation. ;-)
> > And why are sometimes (part of) the URI is case-sensitive and
> > somtimes not and what happens in consequence because of this
> > behavior. And this behavior is the only reason why it can be (on some
> > systems) a problem to have the ScriptAlias inside the DirectoryRoot.
>
> That last sentence is simply not true. Search the the bugtraq
> archives for all the other vulnerabilities in windows web servers
> caused by subtleties of the filesystem.
You have some examples? But see the current case. In easy words:
A HTTP server must process the abs_path from an URI in a case-sensitive
manner. Thus with a case-sensitive filesystem it's enough to build a
canonical / normalized path and ask the system: You have this file?. With a
case-insensitive/preserving filesystem you must also compare the realpath of
a file with the canonical / normalized path from the request. That's really
basic understanding. And it's not new that some systems, like Windows, have
a case-insensitive filesystem or other differences to a "normal" *nix
filesystem. A software must respect this.
> It is not the job of *Alias* to deal with that; the *Alias* directives
> map a URL to the filesystem. If you want to protect things in the
> filesystem, you have <Directory>.
That's ok. If I want to protect something or change the behavior how the
content of a directory is processed, I should do this inside a container
like <Directory>. But why is there the Directive "ScriptAlias"?
--> This Directive should then better be removed.
Next question...
>From the manual:
| The Alias directive allows documents to be stored in the
| local filesystem other than under the DocumentRoot.
Or the "httpd.conf":
| # Alias: Maps web paths into filesystem paths and is used to
| # access content that does not live under the DocumentRoot.
Now we assume that the DocumentRoot is only a special alias. Thus we can
also say:
| # Alias: Maps web paths into filesystem paths and is used to
| # access content that does not live under another existing Alias.
--> Why is it allowed (or without a warning) to make an Alias, where the
target is already accessible via another Alias?
> Yes, it would be nice if httpd could force the use of a canonical case
> on case-insensitive filesystems. It can be partially done with
> mod_rewrite. But that would not make it safe to use ScriptAlias in
> the way you want.
Ok. Then we can say: For some other reasons, it's not safe to make a
ScriptAlias inside DirectoryRoot on *nix (it only looks as if it's safe).
Regards,
Carsten
|