[22637] in bugtraq
Re: More security problems in Apache on Mac OS X
daemon@ATHENA.MIT.EDU (Kee Hinckley)
Thu Sep 13 01:06:06 2001
Mime-Version: 1.0
Message-Id: <p05100325b7c4ae6e5842@[192.168.1.104]>
In-Reply-To: <20010910090207.A15706@golem.ph.utexas.edu>
Date: Wed, 12 Sep 2001 02:22:36 -0400
To: Jacques Distler <distler@golem.ph.utexas.edu>
From: Kee Hinckley <nazgul@somewhere.com>
Cc: bugtraq@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 9:02 AM -0500 9/10/01, Jacques Distler wrote:
>Using mod_hfs (which takes care of case-insensitivity in directory names)
>and using <FilesMatch> (with well-chosen regular expressions) instead of
><Files> directives (to take care of case-insensitivity in filenames), we can
>"cure" the case-insensitivity problem and restore Apache's access controls.
By far the best and safest solution for dealing with the case
sensitivity issues with Apache on OSX is to only run it on UFS
volumes. That avoids the regular expression hacks, and avoids
security issues around scripting languages (will .epl bring up an
Embperl file, but .EPL show my internal code?), and avoids the need
for mod_hfs.
Doesn't fix the .DS_Store problem though. Good call.
- --
Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
iQA/AwUBO57/eSZsPfdw+r2CEQK69wCfdHxgN1mU+B/LKr+Tdr8CvpDORioAn3EC
aHaYE4Ax3aVZQl5hautf3k6b
=sw5E
-----END PGP SIGNATURE-----
