|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: notes on 1.1b4 authorization and table_set() function calls. (fwd)
Date: Mon Jun 24 1996 - 19:31:04 EDT
On Mon, 24 Jun 1996, Vivek Khera wrote:
[snip]
> I haven't looked into the complexity of this just yet, but it would seem to me
It might seem to make sense, indeed, it would, as you say, reduce load on the authorization database. However, it would be a security hole: If the server returned a Not Found error prior to returning an Authentication Required error, a potential hacker might be able to get a map of all the filenames on the server, without actually having access to the server, by noting when the server returned Not Found, versus when it asked for authentication.
Apache, when finding directory indexes internally, uses the exact same mechanism that it uses when a file is requested by a user, except that it does not actually serve the file. Since this request includes the authentication stage, it is therefore neccessary to check authorization for each index file checked.
> Secondly, I notice that at many places you call table_set() with the third
pstrdup() is not a particuarly expensive operation, due to the way Apache's memory-pool allocation code works (not nearly as much as it would be for the corresponding malloc() and strcpy()), but you are correct, there is a lot of this sort of thing. Probably the best explanation is that it makes people feel safer, knowing for sure that their strings. won't be mangled.
Perhaps in a future version of Apache, we will clean up this sort of thing. It might not be a bad idea.
Thanks for using Apache!
- Alexei Kosut <akosut@organic.com> The Apache HTTP Server http://www.nueva.pvt.k12.ca.us/~akosut/ http://www.apache.org/
This archive was generated by hypermail 2.1.8 : Thu Aug 24 2006 - 14:43:45 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |