You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1997/06/23 03:14:50 UTC

[PATCH] PR#353: symlink permission problem

In directory_walk it says that the permissions of the parent determine if
a symlink is acceptable.  It implements that during the main loop, but
then just outside the main loop is one more symlink test.  The latter is
required for /dir/file to handle the case where file is a symlink.  But in
the case /dir/symdir where symdir is a symlink to a directory it has, in
my opinion a bug -- it will read /dir/symdir/.htaccess and use the
permissions defined there to check if symdir is acceptable. 

Consider: 

cd apache/htdocs
echo Options -FollowSymLinks >manual/.htaccess
ln -s manual symdir

Then access /symdir (or /symdir/) and you'll get a 403.  But accessing
/symdir/index.html you will get a 200.

The following small patch fixes this.  But it's one of those
head-scratcher "is this really right?  does this open a security hole?" 
things.  So please review carefully. 

I think there are other related PRs but couldn't find them. 

Dean

Index: http_request.c
===================================================================
RCS file: /export/home/cvs/apache/src/http_request.c,v
retrieving revision 1.51
diff -c -3 -r1.51 http_request.c
*** http_request.c	1997/06/15 19:22:27	1.51
--- http_request.c	1997/06/23 00:36:14
***************
*** 399,406 ****
  
      r->per_dir_config = per_dir_defaults;
  
!     if ((res = check_symlinks (r->filename, allow_options(r))))
!     {
  	log_reason("Symbolic link not allowed", r->filename, r);
  	return res;
      }
--- 399,414 ----
  
      r->per_dir_config = per_dir_defaults;
  
!     /* Symlink permissions are determined by the parent.  If the request is for
!      * a directory then applying the symlink test here would use the
!      * permissions of the directory as opposed to its parent.  Consider a
!      * symlink pointing to a dir with a .htaccess disallowing symlinks.  If you
!      * access /symlink (or /symlink/) you would get a 403 without this S_ISDIR
!      * test.  But if you accessed /symlink/index.html, for example, you would
!      * *not* get the 403.
!      */
!     if (!S_ISDIR (r->finfo.st_mode)
! 	&& (res = check_symlinks (r->filename, allow_options(r)))) {
  	log_reason("Symbolic link not allowed", r->filename, r);
  	return res;
      }