httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From field...@apache.org
Subject cvs commit: httpd-2.0/docs/conf httpd-std.conf.in httpd-win.conf
Date Mon, 14 Jul 2003 13:26:15 GMT
fielding    2003/07/14 06:26:14

  Modified:    docs/conf httpd-std.conf.in httpd-win.conf
  Log:
  When the top-level directory section for / was added for the sake
  of performance and to allow automount symlinks to be followed, we
  mistakenly opened access to the entire directory system by default.
  I noticed this because all of the /~user directories are available
  by default without any restrictions, which is a bad idea for anything
  other than one server within a department of shared users.  However,
  it also makes it easier to serve files anywhere on disk by mistake,
  and makes other URI-handling bugs more severe than they would be
  otherwise.  Therefore, this patch reinstates access control to deny
  access to all files other than under DocumentRoot, icons, and manual,
  until additional directory/locations are explicitly allowed by the admin.
  
  Revision  Changes    Path
  1.48      +4 -1      httpd-2.0/docs/conf/httpd-std.conf.in
  
  Index: httpd-std.conf.in
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/conf/httpd-std.conf.in,v
  retrieving revision 1.47
  retrieving revision 1.48
  diff -u -r1.47 -r1.48
  --- httpd-std.conf.in	10 Jul 2003 15:34:36 -0000	1.47
  +++ httpd-std.conf.in	14 Jul 2003 13:26:14 -0000	1.48
  @@ -317,6 +317,8 @@
   <Directory />
       Options FollowSymLinks
       AllowOverride None
  +    Order deny,allow
  +    Deny from all
   </Directory>
   
   #
  @@ -362,7 +364,8 @@
   
   #
   # UserDir: The name of the directory that is appended onto a user's home
  -# directory if a ~user request is received.
  +# directory if a ~user request is received.  Note that you must also set
  +# the default access control for these directories, as in the example below.
   #
   <IfModule mod_userdir.c>
       UserDir public_html
  
  
  
  1.94      +4 -1      httpd-2.0/docs/conf/httpd-win.conf
  
  Index: httpd-win.conf
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/conf/httpd-win.conf,v
  retrieving revision 1.93
  retrieving revision 1.94
  diff -u -r1.93 -r1.94
  --- httpd-win.conf	10 Jul 2003 15:34:37 -0000	1.93
  +++ httpd-win.conf	14 Jul 2003 13:26:14 -0000	1.94
  @@ -244,6 +244,8 @@
   <Directory />
       Options FollowSymLinks
       AllowOverride None
  +    Order deny,allow
  +    Deny from all
   </Directory>
   
   #
  @@ -291,7 +293,8 @@
   # UserDir: The name of the directory that is appended onto a user's home
   # directory if a ~user request is received.  Be especially careful to use
   # proper, forward slashes here.  On Windows NT, "Personal/My Website"
  -# is a more appropriate choice.
  +# is a more appropriate choice.  Note that you must also set the default
  +# access control for these directories, as in the example below.
   #
   UserDir "My Documents/My Website"
   
  
  
  

Mime
View raw message