At 01:29 PM 7/21/2002, Adrian Grajdeanu wrote:
>The fact that URLs are case sensitive by definition is a strong argument.
>Unfortunately the reality of case insensitive file systems doesn't fit with
>definitions. I guess people already went on and debated this till the bitter
>end. So instead of adding fuel to the fire, I ask if anybody would give me
>pointers to the past debates so I can better educate myself about the
>arguments.
>
>Especially I am curious about the Location vulnerability that case
>insensitive filesystems open up, while the Location name can be case
>sensitive only.
They don't open vulnerabilities, if used correctly...
Alias /my-dav c:/dav-folder
<location "/my-dav">
Dav On
</location>
Since the location matches the alias, and the location is -granting-
permissions, and not taking them away, you are fine.
Consider if we lock down dav to certain users...
<location "/my-dav">
Dav On
Require valid-user
</location>
Now... the Dav On has the same scope as the Require, so dav is
only turned on when the valid-user is required.
If you want to protect a directory, use the <directory> block. If you
want to be more clever, you need to think it through.
Bill
