www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aveek Datta <ada...@ml.org>
Subject general/599: <directory> not enforced if seen through symlink.
Date Wed, 21 May 1997 02:20:02 GMT

>Number:         599
>Category:       general
>Synopsis:       <directory> not enforced if seen through symlink.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue May 20 19:20:01 1997
>Originator:     adatta@ml.org
>Organization:
apache
>Release:        1.2b10
>Environment:
Linux Redhat fresh install v4.1 (Colgate) GCC
>Description:
Here is the setup:

       <Directory /home/adatta/blah/blah>
       is protected by AUTH_MSQL correctly.
       </directory>

This directory is a directory not accessible by WWW in general, and
is the real path. However .. (continued in next section)
>How-To-Repeat:
do this:
         ln -s /home/adatta/blah/blah /home/adatta/www
or public_html, whatever your setup is, then the <Directory> will
NOT be protected. In other words, the Symlink overrides the true directory setting.
>Fix:
It's not a major problem. In fact, you probably know about it.
I didn't, and it caused me some frustration on why it wasn't
asking for authorization. However, I figured it out.. :)
Just in case you didn't know about this 'feature'
>Audit-Trail:
>Unformatted:



Mime
View raw message