httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive
Date Fri, 10 Oct 2008 01:01:12 GMT

Paul B. Henson <> changed:

           What    |Removed                     |Added
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |

--- Comment #3 from Paul B. Henson <>  2008-10-09 18:01:12 PST ---
Thanks for taking a look at this. However, include virtual appears to have the
exact same problem. Given the following files in my web home directory:

lrwxrwxrwx 1 henson csupomona 27 Oct  3 14:01 pass.html ->
-rw-r--r-- 1 henson csupomona 37 Oct  9 17:50 test_ssi.shtml

If I attempt to access /~henson/pass.html,  I receive "Forbidden You don't have
permission to access /~henson/pass.html on this server." as expected.

The contents of test_ssi.shtml are:

<!--#include virtual="pass.html" -->

When I access /~henson/test_ssi.shtml, the contents of
/usr/pkg/etc/httpd/htpasswd appear in my browser.

As far as I can tell, "include virtual" also appears to ignore the setting of

In addition, while you can enable includes without exec, I don't believe there
is a way to allow include virtual only, IncludesNoExec allows both file and
virtual includes. So even if include virtual respected SymlinkIfOwnerMatch
(which it appears not to, unless I am missing something), it would not resolve
the issue of being able to have SSI enabled on a server while preventing users
from serving content via symbolic links.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message