httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dean gaudet <d...@arctic.org>
Subject Re: [2.0] lstat's in spite of AllowOverride None
Date Mon, 19 Nov 2001 04:07:26 GMT
On Fri, 9 Nov 2001, Michael Douglass wrote:

> I'd be weary of caching the lstat() information for more than the
> current connection; you don't want someone to abuse that cache by
> creating a symlink AFTER letting apache cache the information.

if an attacker can create symlinks they can just as easily copy
/etc/passwd or other sensitive world-readable data.

!FollowSymLinks is stupid anyhow, it should die.  who even pretends that
it helps system security?  for perf reasons we changed httpd.conf ages ago
to default to FollowSymLinks, and i bet 99% of the apaches out there run
this way.

years ago i suggested something such as
<http://arctic.org/~dean/apache/1.3/mod_allowdev.c>.  if you really think
FollowSymLinks is useful then mod_allowdev probably makes even more sense.

-dean


Mime
View raw message