httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Anonymizing 403 responses [Was: svn commit: r1799731]
Date Tue, 27 Jun 2017 17:11:38 GMT
On Jun 27, 2017 3:00 AM, "Yann" <ylavic.dev@gmail.com> wrote:

On Tue, Jun 27, 2017 at 12:49 AM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:
> On Mon, Jun 26, 2017 at 5:43 PM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:
>> On Mon, Jun 26, 2017 at 5:34 PM, Yann <ylavic.dev@gmail.com> wrote:
>>
>>> What could be the "security blunders" with 404 vs 403?
>>
>> A 403 says "go away, you are denied". Hopefully modules are smart
>> about that.

It seems that one can create a "regular" file or directory containing
such "reserved" word (by using UNC paths, but I don't know enough
about Windows to say if it's really the case and from which version).
So we (or APR) should be able to determine whether it really exists or
not, and/or its access is truly denied by the OS (or httpd), and
return the correct 4xx no?


No. AIUI pervasive device names cannot be used as regular directory or
filenames at all.

It does exist. ./NULL on Windows is just as much a file as /dev/null is on
Unix.

APR does report this is a CHR file type/device.

The correct result has long been 403 forbidden on any OS.

Ignore Gregg's patch and go back to the underlying complaint. Rather than
forbidden, users are asking in a general scope for security by obscurity,
of advising the user agent that forbidden resources apparently don't exist.

As you pointed out this is not a great solution to bad admin practices.
But, the ask is there, so please ignore "on Windows" and let's consider
what is involved in adding support for a hard declaration of 404, or a late
transition from 403 to 404 (or any response code X to Y, for that matter.)

Mime
View raw message