On Mon, Jun 26, 2017 at 5:43 PM, William A Rowe Jr <[email protected]> wrote: > On Mon, Jun 26, 2017 at 5:34 PM, Yann <[email protected]> wrote: > >> What could be the "security blunders" with 404 vs 403? > > A 403 says "go away, you are denied". Hopefully modules are smart > about that. > > A 404 says "no such resource". Modules such as mod_speling try to > interpret what the user typed in an accommodating way, and come up > with something that aught to be served instead. > > In the particular example, /CON (device) might be interpreted as /.conf > (file). But if the admin/author is attentive, they deny access to .conf and > the remap attempt fails.
FWIW mod_speling is well-understood to reveal such 'hidden files'. Even if we fixed the specific case for /con (device) remapping, all the user would have to do is attempt to access ".con" (no file found) to discover .conf in that directory, if it isn't prohibited. I trust that both presenting CHR files as 403 is not an issue, and that mod_speling's behavior is correct so far as it goes if users choose to deploy it. But it seems like there should be some deterministic way to reject non-file or other entities as not-found without other modules attempting to 'just fix it.'
