httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 56531] New: FollowSymLinks allows serving files from root file system
Date Thu, 15 May 2014 17:48:57 GMT

            Bug ID: 56531
           Summary: FollowSymLinks allows serving files from root file
           Product: Apache httpd-2
           Version: 2.4.9
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core

I assumed having a <Directory /> block with Options None and Require all denied
would be enough to prevent Apache from serving files from the file system root,
but it does not. A symlink in /var/www/ pointing to /etc/ allows serving files
from /etc/. One can of course use SymLinksIfOwnerMatch, but I find the current
behavior still somewhat dangerous especially since Linux distros come with
FollowSymLinks enabled by default and it's also recommended for performance.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message