Return-Path: 
 <dev-return-74954-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 84AA99183
	for <apmail-httpd-dev-archive@www.apache.org>;
 Fri, 16 Mar 2012 13:50:55 +0000 (UTC)
Received: (qmail 89805 invoked by uid 500); 16 Mar 2012 13:50:54 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 89756 invoked by uid 500); 16 Mar 2012 13:50:54 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 89748 invoked by uid 99); 16 Mar 2012 13:50:54 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Mar 2012 13:50:54 +0000
X-ASF-Spam-Status: No, hits=0.7 required=5.0
	tests=FSL_HELO_NON_FQDN_1,HELO_NO_DOMAIN,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Received: from [80.229.52.226] (HELO baldur) (80.229.52.226)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Mar 2012 13:50:47 +0000
Received: from baldur (localhost [127.0.0.1])
	by baldur (Postfix) with ESMTP id 56CC4C16042C
	for <dev@httpd.apache.org>; Fri, 16 Mar 2012 13:50:25 +0000 (GMT)
Date: Fri, 16 Mar 2012 13:50:23 +0000
From: Nick Kew <nick@webthing.com>
To: dev@httpd.apache.org
Subject: Re: printing r->filename for access denied errors
Message-ID: <20120316135023.39c14f7b@baldur>
In-Reply-To: 
 <CALK=YjP5ZBX=wti6rG-+ZYJb4WarmWFz9pq1iVWvm2fd-LfzWw@mail.gmail.com>
References: 
 <CALK=YjP5ZBX=wti6rG-+ZYJb4WarmWFz9pq1iVWvm2fd-LfzWw@mail.gmail.com>
X-Mailer: Claws Mail 3.7.4 (GTK+ 2.20.1; i486-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

On Fri, 16 Mar 2012 07:54:37 -0400
Eric Covener <covener@gmail.com> wrote:

> Seems like IRC users are often confused that permission denied errors
> include the URI only and not the filesystem path.
> 
> (They're convinced it's failing because httpd is looking in the wrong
> place for /index.html, or they think we forgot to add a documentroot,
> or have no idea where /foo/bar/baz is supposed to be in the
> filesystem)
> 
> Is there any harm in adding it?  This is the rv from a stat in the
> directory walk.

Yes, there is harm.  Exposing filesystem information will bring
in a flood of vulnerability reports.  Remember the kerfuffle we
had about inodes appearing in etags?

Maybe exposing it at loglevel debug would be a compromise?

-- 
Nick Kew