W3C home > Mailing lists > Public > www-jigsaw@w3.org > July to August 1996

Jigsaw bug, security problems

From: Anselm Baird-Smith <abaird@w3.org>
Date: Sat, 13 Jul 1996 15:08:55 +0500
Message-Id: <9607131908.AA02790@www18.w3.org>
To: www-jigsaw@w3.org


Lots of people have been sending me email about a bug in Jigsaw that
has sever implications. Basically the problem has to do with how the
underlying OS handle file case sensitivy:

If you go to /Admin on Win* for example, you get the appropriate
material, however if you get to it through /aDmin, then you will be
able to get to the same resource, but potentially by-passing the
security filters that have been set only on /Admin.

I don't know yet how to solve the bug, they are several posibilities:

a) Convert all resource names to lower case, then convert all
requested URLs to lower case too (basically making sure there is only
one path to all resources). This would make Jigsaw totally insensitive
to case.

b) The underlying problem is really when Jigsaw decides to create a
new resource because a request comes in for an exsiting file or
directory, that has not been indexed yet. If File.exists(name) returns
true for the requested name, then Jigsaw decides to create an
appropriate resource for the object to export (file or dir), I still
hope I might be able to act at this level, rather then taking the
systematic approach of a). I know for sure that listing a directory
content returns the file name list wit hthe appropriate lower/upper

If anyone with some Win* knowledge can explain how and when Win
FileSystem is case sensitive or if anyone has any other ideas, let me
know (BTW www.microsoft.com is case insensitive, I just checked
it). In the mean time, I would recommend:

a) Renamining the /Admin resource to some more difficult to guess
b) Setup authentication on the root resource of your server 

This is definitely the first important problem Jigsaw encouters :-( It
applies only to Jigsaws running on a filesystem which is *not* case
sensitive (so people using Jigsaw under UNIX are safe, at least with
regard to this).

Received on Sunday, 14 July 1996 00:04:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:29 UTC