httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, VF-Group <ruediger.pl...@vodafone.com>
Subject RE: printing r->filename for access denied errors
Date Fri, 16 Mar 2012 13:58:15 GMT


> -----Original Message-----
> From: Nick Kew 
> Sent: Freitag, 16. März 2012 14:50
> To: dev@httpd.apache.org
> Subject: Re: printing r->filename for access denied errors
> 
> On Fri, 16 Mar 2012 07:54:37 -0400
> Eric Covener <covener@gmail.com> wrote:
> 
> > Seems like IRC users are often confused that permission denied errors
> > include the URI only and not the filesystem path.
> >
> > (They're convinced it's failing because httpd is looking in the wrong
> > place for /index.html, or they think we forgot to add a documentroot,
> > or have no idea where /foo/bar/baz is supposed to be in the
> > filesystem)
> >
> > Is there any harm in adding it?  This is the rv from a stat in the
> > directory walk.
> 
> Yes, there is harm.  Exposing filesystem information will bring
> in a flood of vulnerability reports.  Remember the kerfuffle we
> had about inodes appearing in etags?

The vulenerability report about inodes in etags was because a HTTP client could
read the inode information (Do not want to rehash the discussion here if this is
really a vulnerability if a HTTP client retrieves this information).
In this case the information is kept on the server and only written to the logfile.
I see no vulnerability here and IMHO "vulnerability" reports on this should be easy to fend
off.


Regards

Rüdiger

Mime
View raw message