To be sure, domains have always been case-insensitive. It's the paths,
files and query strings we're talking about here, right?
So I've been trolling around Google, trying to find some specific
example of an exploit which could best explain this security risk to me,
beyond that of...
1 - Dumb programming. Someone would publish a .cfm file with a .CFM
extension, then never test it (to notice that the engine never parsed it)?
2 - A seemingly contrived example using OpenID; in which a hosting firm
allowed one client access to 'hostingfirm.com/CLIENT1/' - and then
stupidly allowed another client to have 'hostingfirm.com/client1/'?
Perhaps I'm just bad at Googlin'.
I should point out that my machine is still case sensitive - and I don't
see a whole lot of usability issues for it. If my logs DID show a huge
amount of case-related 404's, I'd probably just put a case checker in
the routine that handles that. Lower the case for them and try again.
But I should /also/ point out that my application does NOT rely on a lot
of direct entry of urls by users. They are clicking on links embedded in
sites, or using forms that pull code from my API.
My .02
Al
--
online documentation: http://openbd.org/manual/
google+ hints/tips: https://plus.google.com/115990347459711259462
http://groups.google.com/group/openbd?hl=en
