httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 14206] DirectoryIndex circumvents -FollowSymLinks option
Date Thu, 29 Jan 2009 15:21:46 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=14206





--- Comment #3 from Dan Poirier <poirier@pobox.com>  2009-01-29 07:21:45 PST ---
(Not strictly a security issue, since FollowSymLinks is explicitly documented
that we shouldn't rely on it for security.)

This bug is still present in 2.2.11, but not in trunk.

Here's the change in mod_dir.c that seems to have fixed it:

http://svn.apache.org/viewvc?view=rev&revision=620133

This change was discussed a while back, starting here:

http://mail-archives.apache.org/mod_mbox/httpd-dev/200802.mbox/%3C335D1A4B-25E2-4FF1-8CDF-5010A7FBD293@webweaving.org%3E

and the consensus was to make the change in trunk and see if any problems
turned up.

It's been almost a year now and the change is still in.  Maybe it's time to
consider backporting it to 2.2.x.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message