Ivan Zhakov wrote: > > I encountered the following problem with Apache HTTPD on Windows: > * lets suppose that server root is "C:\ABC\XYZ\root"; > * httpd service have all appropriate access permissions > for the server root; > * but httpd service doesn't have any access permission for > the parents of the root. E.g. httpd service doesn't have > access to "C:\ABC" and "C:\ABC\XYZ" > * in this case httpd failed to start with error message "Invalid file > path C:\ABC\XYZ\root\conf\htpasswd" if AuthUserFile directive used. > > We did researched and found that this happens with most Apache > directives, because they use a function ap_server_root_relative (), > which in turn causes apr_filepath_merge () with a flag > APR_FILEPATH_TRUENAME. > > This change was introduced in r90571 [1], before r90571 > ap_make_full_path() used which does not perform file path resolution > like apr_filepath_merge with flag APR_FILEPATH_TRUENAME does.
Yes; this change is by design... > We have the following questions: > * what is the reason to use APR_FILEPATH_TRUENAME argument in that place? How do you suggest that in the httpd.conf that Apache disambiguates C:\ABC from C:\abc, or worse yet, C:\abacadabara from C:\abacab~1 etc? Without resolving the true path elements it's very difficult to do this. Therefore the make full path ensures that two file names in two different directives, or the resolved path and the path given by directive can be authoritatively compared for equality. > * is it possible to remove APR_FILEPATH_TRUENAME argument in the trunk > of Apache HTTP Server? (see attached patch) -1, veto for such a change. Change this and httpd and even third party modules can ultimately discover their configuration file is invalid, leading to security exposures.
