httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [patch] Fix cross-user symlink race condition vulnerability
Date Wed, 31 Oct 2012 19:49:21 GMT
On Wed, Oct 31, 2012 at 3:36 PM, Eric Jacobs <ejacobs@bluehost.com> wrote:
> On 10/31/2012 06:00 AM, Eric Covener wrote:
>>
>> In general that is the proper form -- but this particular issue is
>> documented as a limitation:
>>
>> "Omitting this option should not be considered a security restriction,
>> since symlink testing is subject to race conditions that make it
>> circumventable."
>
>
> Some users (like Bluehost) require the functionality of symlinks without the
> possibility of server side vulnerabilities. Having the vulnerability
> documented doesn't keep servers safe.

My point was that discussion of this particular issue does not need to
be segregated to the private security list.

Mime
View raw message