MacOS X Circumvents Apache Security

Posted by krow on Tuesday June 12, 2001 @10:27AM from the if-you-leave-the-window-open-does-it-matter-that-you-locked-the-door dept.

cloudscout writes: "This Report at SecurityFocus.com warns of a problem with the Apache webserver running under Apple's new MacOS X operating system with the case-insensitive HFS+ filesystem. HFS+ is the default (and recommended) filesystem for MacOS X, yet its case-insensitive nature circumvents directory-based security in the Apache webserver that comes with the operating system. The Server version of MacOS X ships with a module that fixes this problem, but this module isn't available unless you purchase MacOS X Server. So much for Apple's boast about 'giving back to the open-source community.'"
From looking through SecurityFocus, this doesn't appear to be the only problem.

1 of 14 comments (clear)

Min score:

Reason:

Sort:

Re:So how does Apache cope on Windows? by Coward,+Anonymous · 2001-06-13 15:47 · Score: 4

So how does Apache handle the Windows (NT or whatever) filesystem. Last time I looked that was case-insensitive too

Apache uses ap_os_canonical_filename() which on case sensitive unices is a macro to replace it with the filename, but the util_win32.c provides an ap_os_canonical_filename function which converts the name to lowercase thus allowing "This" and "ThiS" to match (both being returned as "this"), so something similar is needed on case-insensitive MacOS machines.