httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 23346] New: - .htaccess files bypassable by symbolic links
Date Tue, 23 Sep 2003 09:08:03 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23346>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23346

.htaccess files bypassable by symbolic links

           Summary: .htaccess files bypassable by symbolic links
           Product: Apache httpd-2.0
           Version: 2.0.40
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: Other
         Component: mod_auth
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: ben@sigmer.com


Hi,
I've found that apache will ignore .htaccess files (or the equivalent 
<directory> directives) if the directory is by passed by a symbolic link.

For example, if I have a virtual host at 
   /www/bentest.co.uk, 
a .htacces file for password authentication at 
   /www/bentest.co.uk/test/.htaccess 
and another directory at 
   /www/bentest.co.uk/test/info

then symbolically link that directory 'info' to /www/bentest.co.uk/mylink, the .
htaccess file in the middle directory ('test') has been bypassed.  

This seems to be the case for all <directory> directives.  Version 1.3.x manages 
it ok which is why I think it's a bug rather than designed that way.

Thanks,

Ben
Sigmer Technologies Ltd

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message