httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Multiple URLs / One Site
Date Tue, 27 Apr 2004 18:34:46 GMT
On Tue, 27 Apr 2004 trlists@clayst.com wrote:

> On 27 Apr 2004 Joshua Slive wrote:
>
> > Yes.  The most common case is a trailing-slash redirect: When someone
> > requests a directory without the trailing slash, apache must redirect them
> > to the same URL with a trailing slash added.
>
> Got it, thanks.  Now why doesn't it just add the slash?  Maybe I don't
> want to know :-).

Because then all relative URL references would be wrong.  If you access
"/dir", and then click on a realtive link for "file", your browser will
take you to "/file".  If, on the other hand, you had accessed "/dir/",
your browser would have taken you to "/dir/file".  This this resolution is
handled by the browser, not the server, the server must inform the browser
of the true URL with the trailing slash included.

> > Also, the server name is used in server-generated error documents and
> > things like that.
>
> Good point.  I imagine it must be used in the logs too, though I
> haven't looked at the logging setup yet.

The logs can be configured either to user the ServerName or the
browser-supplied hostname.

> > Nothing major.  You should just be sure not to rely on the SERVER_NAME
> > environment variable, since an attacker could specify whatever he wants
> > there.
>
> I just checked and I'm not using this.  I'm trying to understand the
> mechanism though -- does an attacker have to map the server name they
> want to use to my IP then reference that as a URL, or can they do it
> without a DNS hack?

To do it with a real browser, yes you'd need to change DNS.  But you don't
need to use a real browser.  You can simply telnet to your server's IP on
port 80 and then specify whatever you want in the Host: header, as in

telnet yourhost.example.com 80
GET / HTTP/1.1
Host: whatever.I.want

Then apache will treat whatever.I.want as the server name.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message