On Thu, Apr 25, 2002 at 11:26:42AM +0100, John Rowe wrote: > 1. Apache has a configuration file saying what directories it will access > and and any module that allows you to access files outside those > directories is a security hole. Does axkit check? I don't see that file:// > uris have any place in a dicument served by http.
I think this is a semantic question. An URI has relevance only to the 'outside' world. It acts as a (hopefully) stable pointer to some resource. As soon as a request for a given URI 'enters' the webserver it has to be translated/mapped to some internal resource, be it a file or a function call or a program invocation. Second: It's often the case that a 'document' as described by an URI is actually composed of several resources (xml data, stylesheet(s) etc). There is no require- ment that all those extenal entities reside within the webservers document root. > 2. However you look at it, the uri '/foo/bar/baz' on a document hosted on > www.myhost.com should resolv to http://www.myhost.com/foo/bar/baz and if > axkit does not do this then it is not behaving properly. Are we talking HTML here (and do we ignore doc-base headers)? Then resolving '/foo/bar/baz' is entirely up to the browser i'm affraid. A webserver will never "see" a 'GET http://www.myhost.com/foo/bar/baz'. Now, if we talk about server side processing of a request, than you need to understand that 'DocumentRoot' is a directive for Apaches _file_ handling code. It's not relevant if the source of your data isn't comming from the static file module. As a convenience, apache provides file handling functions that honor such directives, but often this is not the most natural solution. If your server needs to do massive transformations (xml -> xlst -> html for example) you probably don't want your 'raw' data under the webserver's document root (often this might even be considered insecure). > 3. If I do this and axkit behaves properly then I need only make one > symlink from docroot to the real dtd directory, configure apache to allow > symlinks for that directory and all my dtds work. > > > Why is this so difficult? Because we see a nice mix of URI namespace, file system namespace and 'external entity resolving' namespae, all of which are very similar but just different enough to cause trouble _iff_ mixed accidently. Ralf Mattes --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
