httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: svn commit: r423886 - in /httpd/httpd/trunk: CHANGES server/request.c
Date Thu, 20 Jul 2006 12:04:32 GMT
On Thu, Jul 20, 2006 at 11:01:08AM -0000, rpluem@apache.org wrote:
> Author: rpluem
> Date: Thu Jul 20 04:01:07 2006
> New Revision: 423886
> 
> URL: http://svn.apache.org/viewvc?rev=423886&view=rev
> Log:
> * Check for symbolic links of the target file in the optimized case that we
>   had already done this specific directory walk for this request. This can
>   happen when we have an internal redirect, like the ones caused by mod_dir
>   (/ -> index.html). See also
> 
>   http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3c44B5521F.8050906@globalvanet.com%3e
> 
>   If we do not do this we have a security hole as the FollowSymLinks and
>   SymLinksIfOwnerMatch settings can circumvented this way.

I think it's a *very* bad idea to imply that SymLinksIfOwnerMatch is a 
security feature.

If you did want to call this a "security feature" then you also need to 
fix the big fat race condition inbetween all those nice careful stat() 
calls and the default handler going to open the file.  Which I doubt 
would be simple to say the least.

I'd stay well clear of the word "security" here.

joe

Mime
View raw message