Mac OS X Server 10.2 or later: "mod_hfs_apple" protects web content against case insensitivity in the HFS file system

In Mac OS X Server 10.2 or later, "mod_hfs_apple" has been enhanced to protect web content against case insensitivity in the HFS File System. If this feature is used, security realms are enforced on any web folders/directories regardless of letter case used in a URL to access the served web content.

Warning:

  1. The protection afforded by mod_hfs_apple applies only to the default webserver, apache1. If you have chosen to use apache2, beware that these protections do not apply.
  2. For important related information, see Protection for sensitive files when using Apache on an HFS+ volume.
Note: This document is a reproduction of information included with Late Breaking News in Mac OS X Server 10.2.2.

The HFS Extended volume format commonly used for Mac OS X Server preserves the case of file names but does not distinguish between a file or folder named "Example" and one named "eXaMpLe". Were it not for mod_hfs_apple, this would be a potential issue when your web content resides on such a volume and you are attempting to restrict access to all or part of your web content using security realms. If you set up a security realm requiring browsers to use a name and a password for read-only access to content within a folder named "Protected", browsers would need to authenticate in order to access the following URLs:

http://example.com/Protected
http://example.com/Protected/secret
http://example.com/Protected/sECreT
But they could bypass it by using something like the following:

http://example.com/PrOtECted
http://example.com/PrOtECted/secret
http://example.com/PrOtECted/sECreT

Fortunately, mod_hfs_apple prevents those types of efforts to bypass the security realm, and it's enabled by default.

Note that mod_hfs_apple operates on folders; it is NOT intended to prevent access to individual files. A file named "secret" can be accessed as "seCREt". This is correct behavior, and does not allow bypassing security realms.

Because of the warning message that appears in the Web Service error log about mod_hfs_apple, there have been questions about the function of mod_hfs_apple. The warning messages do not indicate a problem with the correct function of mod_hfs_apple.

You can verify that mod_hfs_apple is operating correctly by creating a security realm, and attempting to bypass it with a case-variant of the actual URL. You will be denied access and your attempt is logged in the Web Service error log with messages similar to the following:

[Wed Jul 31 10:29:16 2002] [error] [client 17.221.41.31] Mis-cased URI:
/Library/WebServer/Documents/PrOTecTED/secret, wants:
/Library/WebServer/Documents/Protected/
Published Date: Feb 19, 2012