httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 51510] New: AllowOverride "leakage"
Date Thu, 14 Jul 2011 20:14:59 GMT

             Bug #: 51510
           Summary: AllowOverride "leakage"
           Product: Apache httpd-2
           Version: 2.2.19
          Platform: PC
        OS/Version: FreeBSD
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Core
    Classification: Unclassified

Imagine that we've simple VirtualHost definition:

 <Directory /home/xxx/public_html>
 AllowOverride AuthConfig FileInfo Indexes Limit
 Options +SymLinksIfOwnerMatch 

As you can see above, user should not have the ability to omit
SymLinksIfOwnerMatch in lower level context (like .htaccess).
SymLinksIfOwnerMatch is not typed in AllowOverride and defaulty enabled. 
User should not have ability to read symlinks to other users' files.

Example #1:
echo "Options -SymLinksIfOwnerMatch" > /home/xxx/public_html/.htaccess
result: internal server error (correct)

Example #2:
echo "Options +FollowSymLinks" > /home/xxx/public_html/.htaccess
result: user is able to read symlinks to his own files (correct)
user is unable to read files owned by other users (correct)

Example #3:
echo "Options FollowSymLinks" > /home/xxx/public_html/.htaccess
result: SymLinksIfOwnerMatch is disabled! 
User is able to read symlinks to files owned by other users!

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message