httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Is SymlinksIfOwnerMatch checked correctly in request.c?
Date Fri, 23 Sep 2005 05:22:28 GMT
Robert L Mathews wrote:
> Shouldn't the first one operate on lfi, like so:
> 
>       if ((res = apr_lstat(lfi, d, lfi->valid | APR_FINFO_OWNER, p))

yes...

> Otherwise, it seems that lfi->user could be random junk, leading to a 
> very likely false HTTP_FORBIDDEN result (and the small possibility of an 
> erroneous OK result).

in practice it's almost ever called, most platforms targeting apache do
automatically fill in FINFO_OWNER.  Only on oddballs, like win32, will
you get a 'basic' stat, and in that case we re-query for the owner.

Most of the time, lfi was filled in before we hit this code.

Good catch though!

Mime
View raw message