httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: Symlinks & Content negotiation...
Date Mon, 21 Aug 1995 09:18:23 GMT
   Date: Sun, 20 Aug 1995 17:30:28 -0700 (PDT)
   From: Brian Behlendorf <brian@organic.com>


   Nope, this analysis is correct - changing the access.conf appropriately 
   fixes this.  Is this now a security hole?  If yes, I'll add the comment 
   about changing .htaccess, but leave it on known_bugs - if it's not a 
   security hole I'll move it to compat_notes.  Thoughts?

Hmmm... it would be strange in compat_notes, since I'm pretty sure
that we aren't being incompatible with anything (that is, that the
NCSA base code itself wouldn't match a <Directory> section which named
the *target* of a symlink --- NB the problem applies to all Options,
not just MultiViews).

Also, I don't think it's a security hole if people have set up their
configuration correctly --- it does mean that Scungy Undergraduates
who have FollowSymlinks set on their own ~me directories can defeat
<Directory> restrictions by planting a symlink to the restricted
directory --- but if you're worried about that, you should have
FollowSymLinks turned off for them anyway.

"Pitfalls", perhaps?

rst

Mime
View raw message