httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: svn commit: r423886 - in /httpd/httpd/trunk: CHANGES server/request.c
Date Thu, 20 Jul 2006 12:04:32 GMT
On Thu, Jul 20, 2006 at 11:01:08AM -0000, wrote:
> Author: rpluem
> Date: Thu Jul 20 04:01:07 2006
> New Revision: 423886
> URL:
> Log:
> * Check for symbolic links of the target file in the optimized case that we
>   had already done this specific directory walk for this request. This can
>   happen when we have an internal redirect, like the ones caused by mod_dir
>   (/ -> index.html). See also
>   If we do not do this we have a security hole as the FollowSymLinks and
>   SymLinksIfOwnerMatch settings can circumvented this way.

I think it's a *very* bad idea to imply that SymLinksIfOwnerMatch is a 
security feature.

If you did want to call this a "security feature" then you also need to 
fix the big fat race condition inbetween all those nice careful stat() 
calls and the default handler going to open the file.  Which I doubt 
would be simple to say the least.

I'd stay well clear of the word "security" here.


View raw message