httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45959] New: SSI include ignores SymlinkIfOwnerMatch directive
Date Tue, 07 Oct 2008 01:56:01 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45959

           Summary: SSI include ignores SymlinkIfOwnerMatch directive
           Product: Apache httpd-2
           Version: 2.2.8
          Platform: Sun
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_include
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: henson@acm.org


I'm running Apache 2.2.8, configured with SymlinkIfOwnerMatch and
server-side includes enabled.

It looks like the server-side include "include" directive ignores the
setting of SymlinkIfOwnerMatch?

For example, let's say I have an htpasswd configuration file outside of
the document root:

-rw-r-----   1 root     webservd       7 Oct  3 14:00
/usr/pkg/etc/httpd/htpasswd

If I then make a symbolic link to that from a user account:

lrwxrwxrwx   1 henson   csupomona      27 Oct  3 14:01
/user/henson/www/pass.html -> /usr/pkg/etc/httpd/htpasswd


Access is forbidden, with the following message in the log file:

[Fri Oct 03 14:01:51 2008] [error] [client 134.71.248.12] Symbolic link
not
allowed or link target not accessible: /export/user/henson/www/pass.html


However, if I create a server parsed HTML file in the same directory
containing the following:

        <!--#include file="pass.html" -->

When I request the .shtml file, the contents of the file pointed to by
the
symbolic link are included.

I had thought that configuring server side includes with IncludesNoExec
was reasonably safe, but it would appear that such a configuration allows
any file readable by the web server itself to be served?

I took a look at mod_include.c, the include directive appears to be handled
by the handle_include function which calls either ap_sub_req_lookup_file or
ap_sub_req_lookup_uri depending on whether the include is file or
virtual, and then calls ap_run_sub_req to presumably handle dumping out the
content of the include.

As a sub request, I would have intuitively thought it would honor the
configuration setting regarding symbolic links?

Am I confused? Is there something wrong with my configuration? Is this an
expected behavior (I searched quite a bit and didn't find anything
relevant)? I also posted to the mailing list last week:

http://marc.info/?l=apache-httpd-users&m=122306900916369&w=2

And didn't receive any responses that really answered my questions.

Thanks much for any help...


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message