httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: Symlinks & Content negotiation...
Date Tue, 22 Aug 1995 06:41:54 GMT
On Mon, 21 Aug 1995, Robert S. Thau wrote:
>    From: Brian Behlendorf <brian@organic.com>
> 
>    Nope, this analysis is correct - changing the access.conf appropriately 
>    fixes this.  Is this now a security hole?  If yes, I'll add the comment 
>    about changing .htaccess, but leave it on known_bugs - if it's not a 
>    security hole I'll move it to compat_notes.  Thoughts?
> 
> Hmmm... it would be strange in compat_notes, since I'm pretty sure
> that we aren't being incompatible with anything (that is, that the
> NCSA base code itself wouldn't match a <Directory> section which named
> the *target* of a symlink --- NB the problem applies to all Options,
> not just MultiViews).
> 
> Also, I don't think it's a security hole if people have set up their
> configuration correctly --- it does mean that Scungy Undergraduates
> who have FollowSymlinks set on their own ~me directories can defeat
> <Directory> restrictions by planting a symlink to the restricted
> directory --- but if you're worried about that, you should have
> FollowSymLinks turned off for them anyway.
> 
> "Pitfalls", perhaps?

Okay, I've swallowed by bug-reporting pride and removed it from the 
known_bugs list.  I'll try and be more rigorous about bugs I report, I 
know we have plenty to deal with anyways. :)

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/


Mime
View raw message