Joshua Slive schrieb:
On 8/19/06, Carsten Wiedmann <[EMAIL PROTECTED]> wrote:
[I don't agree with large chunks of what you wrote, but the crux of
the matter is here:]
That's ok :-)
BTW:
Nobody else has an opinion to this discussion? Perhaps all are in the
weekend vacation. ;-)
> And why are sometimes (part of) the URI is case-sensitive and
> somtimes not and what happens in consequence because of this
> behavior. And this behavior is the only reason why it can be (on some
> systems) a problem to have the ScriptAlias inside the DirectoryRoot.
That last sentence is simply not true. Search the the bugtraq
archives for all the other vulnerabilities in windows web servers
caused by subtleties of the filesystem.
You have some examples? But see the current case. In easy words:
A HTTP server must process the abs_path from an URI in a case-sensitive
manner. Thus with a case-sensitive filesystem it's enough to build a
canonical / normalized path and ask the system: You have this file?. With a
case-insensitive/preserving filesystem you must also compare the realpath of
a file with the canonical / normalized path from the request. That's really
basic understanding. And it's not new that some systems, like Windows, have
a case-insensitive filesystem or other differences to a "normal" *nix
filesystem. A software must respect this.
It is not the job of *Alias* to deal with that; the *Alias* directives
map a URL to the filesystem. If you want to protect things in the
filesystem, you have <Directory>.
That's ok. If I want to protect something or change the behavior how the
content of a directory is processed, I should do this inside a container
like <Directory>. But why is there the Directive "ScriptAlias"?
--> This Directive should then better be removed.
Next question...
From the manual:
| The Alias directive allows documents to be stored in the
| local filesystem other than under the DocumentRoot.
Or the "httpd.conf":
| # Alias: Maps web paths into filesystem paths and is used to
| # access content that does not live under the DocumentRoot.
Now we assume that the DocumentRoot is only a special alias. Thus we can
also say:
| # Alias: Maps web paths into filesystem paths and is used to
| # access content that does not live under another existing Alias.
--> Why is it allowed (or without a warning) to make an Alias, where the
target is already accessible via another Alias?
Yes, it would be nice if httpd could force the use of a canonical case
on case-insensitive filesystems. It can be partially done with
mod_rewrite. But that would not make it safe to use ScriptAlias in
the way you want.
Ok. Then we can say: For some other reasons, it's not safe to make a
ScriptAlias inside DirectoryRoot on *nix (it only looks as if it's safe).
Regards,
Carsten
