httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: printing r->filename for access denied errors
Date Fri, 16 Mar 2012 14:02:11 GMT
On Fri, Mar 16, 2012 at 9:58 AM, Plüm, Rüdiger, VF-Group
<ruediger.pluem@vodafone.com> wrote:
>
>
>> -----Original Message-----
>> From: Nick Kew
>> Sent: Freitag, 16. März 2012 14:50
>> To: dev@httpd.apache.org
>> Subject: Re: printing r->filename for access denied errors
>>
>> On Fri, 16 Mar 2012 07:54:37 -0400
>> Eric Covener <covener@gmail.com> wrote:
>>
>> > Seems like IRC users are often confused that permission denied errors
>> > include the URI only and not the filesystem path.
>> >
>> > (They're convinced it's failing because httpd is looking in the wrong
>> > place for /index.html, or they think we forgot to add a documentroot,
>> > or have no idea where /foo/bar/baz is supposed to be in the
>> > filesystem)
>> >
>> > Is there any harm in adding it?  This is the rv from a stat in the
>> > directory walk.
>>
>> Yes, there is harm.  Exposing filesystem information will bring
>> in a flood of vulnerability reports.  Remember the kerfuffle we
>> had about inodes appearing in etags?
>
> The vulenerability report about inodes in etags was because a HTTP client could
> read the inode information (Do not want to rehash the discussion here if this is
> really a vulnerability if a HTTP client retrieves this information).
> In this case the information is kept on the server and only written to the logfile.
> I see no vulnerability here and IMHO "vulnerability" reports on this should be easy to
fend off.
>

+1, I believe r->filename is already recorded in similar messages too
(bad perms on opening file vs. bad perms in directory walk)

Mime
View raw message