You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Dan Astoorian <dj...@cs.toronto.edu> on 2000/06/06 21:38:18 UTC

mod_autoindex/6153: mod_autoindex ignores setting of Options FollowSymLinks/SymLinksIfOwnerMatch

>Number:         6153
>Category:       mod_autoindex
>Synopsis:       mod_autoindex ignores setting of Options FollowSymLinks/SymLinksIfOwnerMatch
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Tue Jun 06 12:40:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     djast@cs.toronto.edu
>Release:        1.3.12
>Organization:
apache
>Environment:
Any
>Description:
Directory indexing includes symbolic links, even if the FollowSymLinks or
SymLinksIfOwnerMatch option is turned off.  Thus, the indices output by
the module include links to URLs which Apache should know will return a
"403 Forbidden" error.

It would be nice if mod_autoindex could decide based on the FollowSymLinks
and SymLinksIfOwnerMatch options whether a symbolic link should be included
in a directory listing.  (Failing that, an IndexOptions keyword which could
select the file types to be included in the listing might be useful.)
>How-To-Repeat:
Create a symbolic link under a document tree where FollowSymlinks and
SymLinksIfOwnerMatch are off (or create a symbolic link belonging to
a different user from the target where SymLinksIfOwnerMatch is on).  Make
sure "Options Indexes" is turned on.  Get Apache to produce an index for
the directory; it will include an entry for the symbolic link, but following
the hyperlink will produce "403 Forbidden."
>Fix:
Have mod_autoindex check whether Apache would permit the symbolic link
to be followed.  Since doing so could potentially degrade performance (e.g.,
because checking SymLinksIfOwnerMatch would require Apache to stat() the
target of the symlink in order to compare owners), add a keyword to
IndexOptions controlling whether or not the check should be made (e.g.,
"IndexOptions +StrictSymLinks" or something similar).
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]