httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: printing r->filename for access denied errors
Date Fri, 16 Mar 2012 13:50:23 GMT
On Fri, 16 Mar 2012 07:54:37 -0400
Eric Covener <covener@gmail.com> wrote:

> Seems like IRC users are often confused that permission denied errors
> include the URI only and not the filesystem path.
> 
> (They're convinced it's failing because httpd is looking in the wrong
> place for /index.html, or they think we forgot to add a documentroot,
> or have no idea where /foo/bar/baz is supposed to be in the
> filesystem)
> 
> Is there any harm in adding it?  This is the rv from a stat in the
> directory walk.

Yes, there is harm.  Exposing filesystem information will bring
in a flood of vulnerability reports.  Remember the kerfuffle we
had about inodes appearing in etags?

Maybe exposing it at loglevel debug would be a compromise?

-- 
Nick Kew

Mime
View raw message