httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive
Date Fri, 10 Oct 2008 01:01:12 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45959


Paul B. Henson <henson@acm.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |




--- Comment #3 from Paul B. Henson <henson@acm.org>  2008-10-09 18:01:12 PST ---
Thanks for taking a look at this. However, include virtual appears to have the
exact same problem. Given the following files in my web home directory:

lrwxrwxrwx 1 henson csupomona 27 Oct  3 14:01 pass.html ->
/usr/pkg/etc/httpd/htpasswd
-rw-r--r-- 1 henson csupomona 37 Oct  9 17:50 test_ssi.shtml

If I attempt to access /~henson/pass.html,  I receive "Forbidden You don't have
permission to access /~henson/pass.html on this server." as expected.

The contents of test_ssi.shtml are:

<!--#include virtual="pass.html" -->

When I access /~henson/test_ssi.shtml, the contents of
/usr/pkg/etc/httpd/htpasswd appear in my browser.

As far as I can tell, "include virtual" also appears to ignore the setting of
SymlinkIfOwnerMatch.

In addition, while you can enable includes without exec, I don't believe there
is a way to allow include virtual only, IncludesNoExec allows both file and
virtual includes. So even if include virtual respected SymlinkIfOwnerMatch
(which it appears not to, unless I am missing something), it would not resolve
the issue of being able to have SSI enabled on a server while preventing users
from serving content via symbolic links.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message