httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive
Date Sat, 15 Nov 2008 03:49:34 GMT

--- Comment #10 from Paul B. Henson <>  2008-11-14 19:49:33 PST ---
I've done some further testing, and confirmed that this is only a problem if
the included symbolic link is in the same directory as the shtml file.

Consider the following file served via apache:

$ ls -l /export/user/henson/www/

total 2-rw-------+  1 henson   csupomona      13 Nov 14 19:24 secured.html

For the sake of discussion, assume this file is readable by the web server, but
restricted to require authentication.

Now, another user creates a symbolic link to that file:

$ ls -l /export/user/astudent/www/symlink.html
lrwxrwxrwx 1 astudent csupomona 36 Nov 14 19:31
/export/user/astudent/www/symlink.html ->/export/user/henson/www/secured.html

Attempting to access the symbolic link directly fails, as SymlinkIfOwnerMatch
is configured:

$ curl
<title>403 Forbidden</title>
<p>You don't have permission to access /~astudent/symlink.html
on this server.</p>

[Fri Nov 14 19:29:06 2008] [error] [client] Symbolic link
not allowed or link target not accessible:

Now, the user creates an SSI file:

$ ls -l /export/user/astudent/www/symlink_ssi.html

-rw-r--r--+ 1 astudent csupomona 40 Nov 14 19:27

Whose contents are:

$cat /export/user/astudent/www/symlink_ssi.shtml
<!--#include virtual="/~astudent/symlink.html" -->

Accessing this file:

$ curl
Secret data.

Returns the restricted data, bypassing the SymlinkIfOwnerMatch configuration

As I discovered, this appears to be a bug in ap_directory_walk. Let's say we
move the SSI file to a subdirectory:

$ ls -l /export/user/astudent/www/subdir/symlink_ssi.shtml
-rw-r--r--+  1 astudent csupomona      40 Nov 14 19:27

Attempting to request it then fails as expected:

$ curl
[an error occurred while processing this directive]

[Fri Nov 14 19:37:04 2008] [error] [client] Symbolic link
not allowed or link target not accessible:
[Fri Nov 14 19:37:04 2008] [error] [client] unable to
include "/~astudent/symlink.html" in parsed file

The exact same include behaves differently depending on whether or not the
included file happens to be in the same directory as the SSI.

Again, this would appear to be a security bug to me. Not a critical one by any
means, but still a security bug. I would greatly appreciate some feedback from
a developer on this issue.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message