httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Jacobs <ejac...@bluehost.com>
Subject Re: [patch] Fix cross-user symlink race condition vulnerability
Date Wed, 31 Oct 2012 19:36:36 GMT
On 10/31/2012 06:00 AM, Eric Covener wrote:
> In general that is the proper form -- but this particular issue is
> documented as a limitation:
>
> "Omitting this option should not be considered a security restriction,
> since symlink testing is subject to race conditions that make it
> circumventable."

Some users (like Bluehost) require the functionality of symlinks without 
the possibility of server side vulnerabilities. Having the vulnerability 
documented doesn't keep servers safe. The patch I submitted allows httpd 
to use symlinks in a protected fashion that doesn't allow for users to 
serve arbitrary files.

I'll go ahead and submit a more detailed email to the security. More 
feedback from the devs is appreciated.


-- 

Eric Jacobs
Junior Systems Administrator
Bluehost.com

Mime
View raw message