You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/12/07 20:48:00 UTC
DO NOT REPLY [Bug 40079] - Server do not work under limited user account
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40079>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40079
wrowe@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From wrowe@apache.org 2006-12-07 11:48 -------
"Is it riquired to list up-level directories? Why server can not "live" only in
its directory? Why not only check given path exists, without listing of parent
directories?"
Because Apache cannot be permitted to confuse e:\Apache2Server with e:\Apache~1
or the HOST of various conflicts which can occur because windows chooses to be
CAST INSENSITIVE, but moreso because it's also NOT CANONICAL. The file path
"e:\Apache2Server\" is equivilant to "e:\Apache2Server.", for example.
Therefore we **INSIST** on canonicalizing the path. If we have nothing but list
access to see dir FOO exists, this isn't a security problem. If we accept both
e:\Apache~1\ and e:\Apache2Server as two different names, there IS A HUGE
security problem.
Marked as invalid. Parent directories must be list/traverse accessible to
differentiate them on Win32.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org