I upgraded to Apache 2 a while ago (so I could use Subversion). Recently I have set up some secure areas on one of my sites but have noticed that it can be circumvented by using a URL with the folder in question in a different case. For example, I can make http://mydomain.com/ABC/ secure but http://mydomain.com/aBC/ will circumvent the authentication!
This didn't happen with Apache 1.3, I believe because it included mod_hfs_apple which 'compensates' for HFS+'s case insensitivity (http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c3ws31.html). mod_hfs_apple is not included in my instance of Apache 2 (2.2.4) . Does anyone know if Apple ever upgraded it for Apache 2, and if so, from where I can get it?
Apache 2.2 does NOT provide that option (mod_hfs_apple), so one assumes it was clearly something created by apple.
Reading the support note, the implication is that post 10.4 versions of OSX do not have the same problem as pre-10.4 versions, implying that the issue is on Apple's side of the fence.
One assumes that this "feature" is only active if/when the disk itself is formatted as "extended, case-sensitive," not merely "extended" although the help item
does not state what the "default format" for OSX-Server volumes happens to be.
I believe that the general default in Disk Utility is "extended, journaled" but I do not know off hand. That is to say -- you do NOT get case sensitivity on a normal Apple Formatted disk.
I guess reformatting as a case-sensitive HFS volume would do the trick, but much less convenient for Terminal work.
Redirection is a possibility but only for short names as one would need to create a redirection for every case permutation - 1. Tedious.
.htaccess files are out of favour at the moment: I am trying to clear up after a hacker injected some code somewhere that periodically creates .htaccess files in every conceivable folder containing a redirection to musikkorps.com...
#
I upgraded to Apache 2 a while ago (so I could use Subversion). Recently I have set up some secure areas on one of my sites but have noticed that it can be circumvented by using a URL with the folder in question in a different case. For example, I can make
http://mydomain.com/ABC/secure buthttp://mydomain.com/aBC/will circumvent the authentication!This didn't happen with Apache 1.3, I believe because it included mod_hfs_apple which 'compensates' for HFS+'s case insensitivity (http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c3ws31.html). mod_hfs_apple is not included in my instance of Apache 2 (2.2.4) . Does anyone know if Apple ever upgraded it for Apache 2, and if so, from where I can get it?
#
Chris, don't really understand why the one URL is more secure then the other when you only change the case on one letter.
Wouldn't you use HTTPS to make it more secure?
Another approach could be to use a .htaccess file that redirects incorrect URL's with the wrong case to somewhere else.
#
Apache 2.2 does NOT provide that option (mod_hfs_apple), so one assumes it was clearly something created by apple.
Reading the support note, the implication is that post 10.4 versions of OSX do not have the same problem as pre-10.4 versions, implying that the issue is on Apple's side of the fence.
One assumes that this "feature" is only active if/when the disk itself is formatted as "extended, case-sensitive," not merely "extended" although the help item
does not state what the "default format" for OSX-Server volumes happens to be.
I believe that the general default in Disk Utility is "extended, journaled" but I do not know off hand. That is to say -- you do NOT get case sensitivity on a normal Apple Formatted disk.
#
Thanks both -
It seems basically that Apple does not recommend/support Apache 2.x running on HFS+ volumes, and recommends using UFS volume instead. The relevant TAs are http://support.apple.com/kb/TA22750 and http://support.apple.com/kb/TA21099
The latter has a good illustration of the issue.
I guess reformatting as a case-sensitive HFS volume would do the trick, but much less convenient for Terminal work.
Redirection is a possibility but only for short names as one would need to create a redirection for every case permutation - 1. Tedious.
.htaccess files are out of favour at the moment: I am trying to clear up after a hacker injected some code somewhere that periodically creates .htaccess files in every conceivable folder containing a redirection to musikkorps.com...