httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Anonymizing 403 responses [Was: svn commit: r1799731]
Date Mon, 26 Jun 2017 22:49:42 GMT
On Mon, Jun 26, 2017 at 5:43 PM, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
> On Mon, Jun 26, 2017 at 5:34 PM, Yann <ylavic.dev@gmail.com> wrote:
>
>> What could be the "security blunders" with 404 vs 403?
>
> A 403 says "go away, you are denied". Hopefully modules are smart
> about that.
>
> A 404 says "no such resource". Modules such as mod_speling try to
> interpret what the user typed in an accommodating way, and come up
> with something that aught to be served instead.
>
> In the particular example, /CON (device) might be interpreted as /.conf
> (file). But if the admin/author is attentive, they deny access to .conf and
> the remap attempt fails.

FWIW mod_speling is well-understood to reveal such 'hidden files'.
Even if we fixed the specific case for /con (device) remapping, all
the user would have to do is attempt to access ".con" (no file found)
to discover .conf in that directory, if it isn't prohibited.

I trust that both presenting CHR files as 403 is not an issue, and that
mod_speling's behavior is correct so far as it goes if users choose to
deploy it. But it seems like there should be some deterministic way
to reject non-file or other entities as not-found without other modules
attempting to 'just fix it.'

Mime
View raw message