- From: Anselm Baird-Smith <abaird@w3.org>
- Date: Sat, 13 Jul 1996 15:08:55 +0500
- To: www-jigsaw@w3.org
Hi, Lots of people have been sending me email about a bug in Jigsaw that has sever implications. Basically the problem has to do with how the underlying OS handle file case sensitivy: If you go to /Admin on Win* for example, you get the appropriate material, however if you get to it through /aDmin, then you will be able to get to the same resource, but potentially by-passing the security filters that have been set only on /Admin. I don't know yet how to solve the bug, they are several posibilities: a) Convert all resource names to lower case, then convert all requested URLs to lower case too (basically making sure there is only one path to all resources). This would make Jigsaw totally insensitive to case. b) The underlying problem is really when Jigsaw decides to create a new resource because a request comes in for an exsiting file or directory, that has not been indexed yet. If File.exists(name) returns true for the requested name, then Jigsaw decides to create an appropriate resource for the object to export (file or dir), I still hope I might be able to act at this level, rather then taking the systematic approach of a). I know for sure that listing a directory content returns the file name list wit hthe appropriate lower/upper cases... If anyone with some Win* knowledge can explain how and when Win FileSystem is case sensitive or if anyone has any other ideas, let me know (BTW www.microsoft.com is case insensitive, I just checked it). In the mean time, I would recommend: a) Renamining the /Admin resource to some more difficult to guess name. b) Setup authentication on the root resource of your server This is definitely the first important problem Jigsaw encouters :-( It applies only to Jigsaws running on a filesystem which is *not* case sensitive (so people using Jigsaw under UNIX are safe, at least with regard to this). Anselm.
Received on Sunday, 14 July 1996 00:04:19 UTC