You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Jonathan Pierce <Jo...@seagram.com> on 2000/09/09 02:38:22 UTC

Re[3]: BugRat Report #92 was closed (apparently by: Craig R.

Craig,

I'm not the person who posted the bug report and I agree with you that
case-sensitive urls is not a bug.

I just thought it might be a nice configurable option to have available for
users who want to configure case insensitivity for case insensitive file
systems. The default behavior can still be case-sensitivity if you feel the
performance would be impacted.

Jonathan

____________________Reply Separator____________________
Subject:    Re[2]: BugRat Report #92 was closed (apparently by: Craig R.
Author: tomcat-dev@jakarta.apache.org
Date:       9/8/00 8:23 PM

According to the html 4.0 spec:

"There may be URIs, or parts of URIs, where case doesn't matter (e.g., machine
names), but identifying these may not be easy. Users should always consider that
URIs are case-sensitive (to be on the safe side)."

This sounds to me like it is not required that URLs be case sensitive, only that
users should assume that they are just in case.

It wouldn't hurt to support case-insensivity for the part of the URL that
precedes the context on file systems such as NT which are not case sensitive.
Maybe there could be a configurable option as to whether or not to enforce case
for the part of the url that precedes the context.

Jonathan

____________________Reply Separator____________________
Subject:    Re: BugRat Report #92 was closed (apparently by: Craig R. Mc
Author: tomcat-dev@jakarta.apache.org
Date:       9/8/00 5:17 PM

Jonathan Pierce wrote:

> Paths on NT are not case sensitive.
>

Agreed, but that's not the point.  Resource paths used in HTTP are case
sensitive.

>
> Only the part of the URL after the /servlet needs to be case sensitive.
>

How do you figure that?  From the point of view of HTTP, the context path and
the
"/servlet" prefix are part of the resource path -- the protocol makes absolutely
no
distinction between it and the remainder of the path.

If HTTP were a MIcrosoft-only protocol, I'd be in agreement with you.  But it's
not.  Tomcat needs to play by the official specification's rules.

>
> This also causes a problem when configuring Tomcat to startup as a service if
> the app directory parameter is not typed in the correct case.
>

Is there something so terribly hard about typing it in the correct case when you
run into this?  :-)

>
> Can this be changed to support case insensitivity for the part of the part
that
> precedes the context?
>

Can it be changed?  Sure.  Will it be changed?  Not in the official
distribution,
if my -1 counts for anything (which it does).

Because this is open source, you are welcome to create yourself a patch to make
your version of Tomcat non-standard in this respect.  But you're not going to
like
the performance impact this has on figuring out what webapp a request belongs
to,
or what servlet to execute.

>
> Jonathan
>

Craig McClanahan

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: Re[3]: BugRat Report #92 was closed (apparently by: Craig R.

Posted by Nick Bauman <ni...@cortexity.com>.

Agreed.

But then this whole case-insensitivity Windows "niceness" goes
against the notion of a "well-defined problem-domain expertise". I'm all
for user-friendlyness, but there are limits. There is a reason Northwest
Airlines doesn't install joysticks in the passenger seats to allow
customers to "help fly the plane".

On Sat, 9 Sep 2000, Danno Ferrin wrote:

> sensitive.)  Unless any configuration option to turn on case insensitivity
> cound be demonstrated to not re-create that security hole or open any others
> I would be -1 the patch (it would need some extra flair like matching the

Re: Re[3]: BugRat Report #92 was closed (apparently by: Craig R.

Posted by Danno Ferrin <sh...@earthlink.net>.

     Originally tomcat was case insensitive in matching the urls to
servlets/files (or at least after the web-app descriptor and on windows).
The big problem was that it created a security hole with jsp files: foo.jsp
would send the compiled jsp but foo.Jsp would send back the un-compiled
source  (this is because the url-mapping of the file extension was case
sensitive.)  Unless any configuration option to turn on case insensitivity
cound be demonstrated to not re-create that security hole or open any others
I would be -1 the patch (it would need some extra flair like matching the
url mapping to the file name in addition to the url or re-writing the url to
the cannonical file case).
     That is unless the activation switch was actually named "make
insecure," "create security hole," or "an option that could cost you your
job and your former emplyer's reputation" or something similar.  Another
option is that setting it comes with all sorts of warnings on activation
saying "tomcat is now insecure" and generally annoying messages to the
administrator telling them that they are doing something bad so that when
someone gets burned by it we all can say "well duh!  We told you so."  I
would much rather prefer forcing case sensitivity, there's less issues
involved.

--Danno

----- Original Message -----
From: "Jonathan Pierce" <Jo...@seagram.com>
To: <to...@jakarta.apache.org>
Cc: "Z_Tomcat Alias" <to...@cortexity.com>
Sent: Friday, September 08, 2000 6:38 PM
Subject: Re[3]: BugRat Report #92 was closed (apparently by: Craig R.


> Craig,
>
> I'm not the person who posted the bug report and I agree with you that
> case-sensitive urls is not a bug.
>
> I just thought it might be a nice configurable option to have available
for
> users who want to configure case insensitivity for case insensitive file
> systems. The default behavior can still be case-sensitivity if you feel
the
> performance would be impacted.
>
> Jonathan
>
> ____________________Reply Separator____________________
> Subject:    Re[2]: BugRat Report #92 was closed (apparently by: Craig R.
> Author: tomcat-dev@jakarta.apache.org
> Date:       9/8/00 8:23 PM
>
> According to the html 4.0 spec:
>
> "There may be URIs, or parts of URIs, where case doesn't matter (e.g.,
machine
> names), but identifying these may not be easy. Users should always
consider that
> URIs are case-sensitive (to be on the safe side)."
>
> This sounds to me like it is not required that URLs be case sensitive,
only that
> users should assume that they are just in case.
>
> It wouldn't hurt to support case-insensivity for the part of the URL that
> precedes the context on file systems such as NT which are not case
sensitive.
> Maybe there could be a configurable option as to whether or not to enforce
case
> for the part of the url that precedes the context.
>
> Jonathan
>
> ____________________Reply Separator____________________
> Subject:    Re: BugRat Report #92 was closed (apparently by: Craig R. Mc
> Author: tomcat-dev@jakarta.apache.org
> Date:       9/8/00 5:17 PM
>
> Jonathan Pierce wrote:
>
> > Paths on NT are not case sensitive.
> >
>
> Agreed, but that's not the point.  Resource paths used in HTTP are case
> sensitive.
>
> >
> > Only the part of the URL after the /servlet needs to be case sensitive.
> >
>
> How do you figure that?  From the point of view of HTTP, the context path
and
> the
> "/servlet" prefix are part of the resource path -- the protocol makes
absolutely
> no
> distinction between it and the remainder of the path.
>
> If HTTP were a MIcrosoft-only protocol, I'd be in agreement with you.  But
it's
> not.  Tomcat needs to play by the official specification's rules.
>
> >
> > This also causes a problem when configuring Tomcat to startup as a
service if
> > the app directory parameter is not typed in the correct case.
> >
>
> Is there something so terribly hard about typing it in the correct case
when you
> run into this?  :-)
>
> >
> > Can this be changed to support case insensitivity for the part of the
part
> that
> > precedes the context?
> >
>
> Can it be changed?  Sure.  Will it be changed?  Not in the official
> distribution,
> if my -1 counts for anything (which it does).
>
> Because this is open source, you are welcome to create yourself a patch to
make
> your version of Tomcat non-standard in this respect.  But you're not going
to
> like
> the performance impact this has on figuring out what webapp a request
belongs
> to,
> or what servlet to execute.
>
> >
> > Jonathan
> >
>
> Craig McClanahan
>
> ====================
> See you at ApacheCon Europe <http://www.apachecon.com>!
> Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
> Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
>                                     Applications to Tomcat
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>