httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51510] New: AllowOverride "leakage"
Date Thu, 14 Jul 2011 20:14:59 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51510

             Bug #: 51510
           Summary: AllowOverride "leakage"
           Product: Apache httpd-2
           Version: 2.2.19
          Platform: PC
        OS/Version: FreeBSD
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jarek@adeon.lublin.pl
    Classification: Unclassified


Imagine that we've simple VirtualHost definition:

<VirtualHost 1.2.3.4:80>
(...)
 <Directory /home/xxx/public_html>
 AllowOverride AuthConfig FileInfo Indexes Limit
Options=Indexes,MultiViews,FollowSymLinks
 Options +SymLinksIfOwnerMatch 
 </Directory>
</VirtualHost>

As you can see above, user should not have the ability to omit
SymLinksIfOwnerMatch in lower level context (like .htaccess).
SymLinksIfOwnerMatch is not typed in AllowOverride and defaulty enabled. 
User should not have ability to read symlinks to other users' files.


Example #1:
echo "Options -SymLinksIfOwnerMatch" > /home/xxx/public_html/.htaccess
result: internal server error (correct)


Example #2:
echo "Options +FollowSymLinks" > /home/xxx/public_html/.htaccess
result: user is able to read symlinks to his own files (correct)
user is unable to read files owned by other users (correct)


Example #3:
echo "Options FollowSymLinks" > /home/xxx/public_html/.htaccess
result: SymLinksIfOwnerMatch is disabled! 
User is able to read symlinks to files owned by other users!

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message