Software Engineering Institute

The Apache web server's file access protection scheme (i.e., file request "filtering") assumes that the filesystem being protected is case sensitve. For example, in a case sensitive file system, such as UFS (the UNIX file system), the file name "ANY_file" and "any_FILE" refer to different files. The Mac's HFS+ filesystem is case insensitve (e.g., the names "ANY_file", "any_FILE", and "any_file" all refer to the same file) . Under the Apache file access protection scheme you specify the directory (e.g., /ANY_directory) or filename (e.g., "/ANY_directory/ANY_file") to be protected, but only directories or pathnames matchings the exact case you specify will be protected.

Under the Apache scheme, you specify whether to deny or allow access to a filesystem object (which can be a directory, filename, or URL). The specifications are called "directives", which include <Directory>, <Files> and <Location> directives. See http://httpd.apache.org/docs/mod/core.html#directory for further information on directives. When you use a directive to deny access to a file or directory using the Apache web server under Mac OS X HFS+, the directive will NOT deny access to any other upper and lover case variation on the filename or directory.

Can bypass Apache file access protection, allowing remote unprivileged users to read privileged files.

Solution 1 - By default, Apache will allow access to any file mapped from a URL You should change the default to deny all access, and then use directives to override and allow access for only those directories and files that you want to be readable. Use regular expressions with directives such as <FilesMatch> and <DirectoryMatch> to cover upper and lover case variations. Be sure to thoroughly test your directives to ensure that Apache is properly allowing or denying access. The follwing advice is from the Apache web site (http://httpd.apache.org/docs/mod/core.html#directory):

Note that the default Apache access for <Directory /> is Allow from All. This means that Apache will serve any file mapped from an URL. It is recommended that you change this with a block such as

<Directory />
    Order Deny,Allow
    Deny from All
</Directory>

and then override this for directories you want accessible. See the Security Tips (http://httpd.apache.org/docs/misc/security_tips.html) page for more details.


Solution 2 - At least a partial fix (a shared object file "mod_hfs_apple.so") is available on the Apple web site as part of thr Web Sharing version 1.0 released on 7-23-2001 -- http://www.apple.com/downloads/macosx/apple/websharingupdate.html . This update fixes the problem when you specify protected directories (using the <Directory> and <Location> directives), but the fix may not work when you specify individual file names to be protected (using the <Files> directive. (See the 13-July-2001 message from Jacques Distler on the following web page: http://www.macintouch.com/mosxreaderreports43.html.) To overcome the case problem for individual filenames, you need to use the <FilesMatch> directive, and specify the filename using regular expressions that cover all upper and lower case variations. Even after applying this patch, it is recommended that you set the Apache default to deny all access, as described in solution 1 above.

Solution 3 - Use the UFS (Unix File System) instead of HFS+. UFS is case sensitive, so everything works as expected. Even if you use UFS, we still recommended that you set the Apache default to deny all access, as described in solution 1 above.