httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Bloom <...@covalent.net>
Subject Re: [2.0] lstat's in spite of AllowOverride None
Date Fri, 09 Nov 2001 20:28:21 GMT
On Friday 09 November 2001 12:11 pm, Michael Douglass wrote:
> > > As FirstBill suggests, there are other means for caching the (l)stat
> > > results, at least for the request duration, which need to be deployed. 
> > > But dropping the path_info walk-backwards logic was step one.  Any
> > > optimization patches are entertianed to speed up the server, if we
> > > don't lose stability.
> >
> > Caching the lstat() results should help, but reducing to a single stat()
> > as I suggest would seem better still?
>
> I'd be weary of caching the lstat() information for more than the current
> connection; you don't want someone to abuse that cache by creating a
> symlink AFTER letting apache cache the information.
>
> Anyone think about using resolvepath() as an initial check?  resolvepath()
> is a single system call to take a path to a file and convert it to the
> resultant path after following all symlinks.  Thus you could have a single
> call to resolvepath() and strcmp() to see if there were any symlinks in
> the path--if there were then you either "deny" it if symlinks are not
> allowed at all; or you proceed with the lstat() scheme otherwise.
>
> This would seem to circumvent alot of lstat() calls on the (hopefully)
> normal case that there are no symlinks involved anywhere. :)

The problem is that you can deny SymLinks at any point in the path.  We
could use resolvepath(), but then we would need to walk the path anyway to
make sure that Symlinks are allowed all the way down.

Ryan

______________________________________________________________
Ryan Bloom				rbb@apache.org
Covalent Technologies			rbb@covalent.net
--------------------------------------------------------------

Mime
View raw message