On Jun 27, 2017 3:00 AM, "Yann" <ylavic....@gmail.com> wrote:
On Tue, Jun 27, 2017 at 12:49 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > On Mon, Jun 26, 2017 at 5:43 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: >> On Mon, Jun 26, 2017 at 5:34 PM, Yann <ylavic....@gmail.com> wrote: >> >>> What could be the "security blunders" with 404 vs 403? >> >> A 403 says "go away, you are denied". Hopefully modules are smart >> about that. It seems that one can create a "regular" file or directory containing such "reserved" word (by using UNC paths, but I don't know enough about Windows to say if it's really the case and from which version). So we (or APR) should be able to determine whether it really exists or not, and/or its access is truly denied by the OS (or httpd), and return the correct 4xx no? No. AIUI pervasive device names cannot be used as regular directory or filenames at all. It does exist. ./NULL on Windows is just as much a file as /dev/null is on Unix. APR does report this is a CHR file type/device. The correct result has long been 403 forbidden on any OS. Ignore Gregg's patch and go back to the underlying complaint. Rather than forbidden, users are asking in a general scope for security by obscurity, of advising the user agent that forbidden resources apparently don't exist. As you pointed out this is not a great solution to bad admin practices. But, the ask is there, so please ignore "on Windows" and let's consider what is involved in adding support for a hard declaration of 404, or a late transition from 403 to 404 (or any response code X to Y, for that matter.)
