httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 56531] New: FollowSymLinks allows serving files from root file system
Date Thu, 15 May 2014 17:48:57 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=56531

            Bug ID: 56531
           Summary: FollowSymLinks allows serving files from root file
                    system
           Product: Apache httpd-2
           Version: 2.4.9
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: bugs@httpd.apache.org
          Reporter: smares@me.com

I assumed having a <Directory /> block with Options None and Require all denied
would be enough to prevent Apache from serving files from the file system root,
but it does not. A symlink in /var/www/ pointing to /etc/ allows serving files
from /etc/. One can of course use SymLinksIfOwnerMatch, but I find the current
behavior still somewhat dangerous especially since Linux distros come with
FollowSymLinks enabled by default and it's also recommended for performance.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message