httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: mod_cern_meta problems with recent change
Date Wed, 25 Jun 1997 08:51:40 GMT
What if the file is a symlink and symlinks are forbidden? 

Yeah a subrequest is overkill, but I can't think of a more thorough method
of respecting all of our security controls. 

Dean

On Wed, 25 Jun 1997, Andrew Wilson wrote:

> Marc Slemko:
> > 
> > Do you have any access configs on your server to limit requests so that
> > *.web and *.meta files can't be read?
> > 
> > Dean changed it to do a subrequest to check that the metafile can be read
> > instead of just a stat.
> 
> What?  That sounds like overkill to me.  If the meta file is there and
> readable from a stat then it will be sent out of the server in its
> entirety.  What then is the problem with attempting to access it
> directly?  Even if someone *did* want to do this (I can't think why
> they'd want to) all they're going to receive in the way of 'stolen
> goods' is what they get anyway when they access other items in the same
> 'directory'.  And well, if the directory is protected from access then
> they're not gonna get as far as mod_cern_meta to grab the information
> anyway.
> 
> Ay.
> 
> > (no, I haven't looked at it either...)
> > 
> > On Wed, 25 Jun 1997, Randy Terbush wrote:
> > 
> > > Seems that the recent change to mod_cern_meta has caused a problem.
> > > All requests for documents using content negotiation seem to fail 
> > > with the server complaining that it cannot read the .web or .meta 
> > > file. I have not tracked this down beyond the fact that remove 
> > > mod_cern_meta from the server solves the problem.
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> 
> 
> -- 
> Andrew.Wilson@cm.cs.ac.uk          http://www.cs.cf.ac.uk/User/Andrew.Wilson/
> 


Mime
View raw message