Add a note about case-sensitivity to the windows platform docs.

Partially in response to the disputed vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4110

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@433005 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/manual/platform/windows.html.en b/docs/manual/platform/windows.html.en
index 3a11c15173dd693dc968b1157266d68109d38ac5..852750ea569b1683c72fd6710c379fb6d1376c1d 100644 (file)
--- a/docs/manual/platform/windows.html.en
+++ b/docs/manual/platform/windows.html.en
@@ -227,6 +227,25 @@
       not backslashes. Drive letters can be used; if omitted, the drive
       with the Apache executable will be assumed.</p></li>
 
+      <li><p>While filenames are generally case-insensitive on
+      Windows, URLs are still treated internally as case-sensitive
+      before they are mapped to the filesystem.  For example, the
+      <code class="directive"><a href="../mod/core.html#location">&lt;Location&gt;</a></code>,
+      <code class="directive"><a href="../mod/mod_alias.html#alias">Alias</a></code>, and <code class="directive"><a href="../mod/mod_proxy.html#proxypass">ProxyPass</a></code> directives all use
+      case-sensitive arguments.  For this reason, it is particularly
+      important to use the <code class="directive"><a href="../mod/core.html#directory">&lt;Directory&gt;</a></code> directive when attempting
+      to limit access to content in the filesystem, since this
+      directive applies to any content in a directory, regardless of
+      how it is accessed.  If you wish to assure that only lowercase
+      is used in URLs, you can use something like:</p>
+
+      <div class="example"><p><code>
+      RewriteEngine On<br />
+      RewriteMap lowercase int:tolower<br />
+      RewriteCond %{REQUEST_URI} [A-Z]<br />
+      RewriteRule (.*) ${lowercase:$1} [R,L]
+      </code></p></div></li>
+
       <li><p>Apache for Windows contains the ability to load modules at
       runtime, without recompiling the server. If Apache is compiled
       normally, it will install a number of optional modules in the

diff --git a/docs/manual/platform/windows.xml b/docs/manual/platform/windows.xml
index 8f581187d0e1c8af8101ca55077d937006e0545d..e549739c3baa1445b746313f6744cd3e7fe54db9 100644 (file)
--- a/docs/manual/platform/windows.xml
+++ b/docs/manual/platform/windows.xml
@@ -225,6 +225,27 @@
       not backslashes. Drive letters can be used; if omitted, the drive
       with the Apache executable will be assumed.</p></li>
 
+      <li><p>While filenames are generally case-insensitive on
+      Windows, URLs are still treated internally as case-sensitive
+      before they are mapped to the filesystem.  For example, the
+      <directive module="core" type="section">Location</directive>,
+      <directive module="mod_alias">Alias</directive>, and <directive
+      module="mod_proxy">ProxyPass</directive> directives all use
+      case-sensitive arguments.  For this reason, it is particularly
+      important to use the <directive module="core"
+      type="section">Directory</directive> directive when attempting
+      to limit access to content in the filesystem, since this
+      directive applies to any content in a directory, regardless of
+      how it is accessed.  If you wish to assure that only lowercase
+      is used in URLs, you can use something like:</p>
+
+      <example>
+      RewriteEngine On<br />
+      RewriteMap lowercase int:tolower<br />
+      RewriteCond %{REQUEST_URI} [A-Z]<br />
+      RewriteRule (.*) ${lowercase:$1} [R,L]
+      </example></li>
+
       <li><p>Apache for Windows contains the ability to load modules at
       runtime, without recompiling the server. If Apache is compiled
       normally, it will install a number of optional modules in the