You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by Jason Lingohr <ja...@lucid.net.au> on 2008/10/01 01:59:02 UTC
Re: help for translation
On 30/09/2008 12:28 AM, Lucien GENTIS wrote:
> Hello to all,
>
> File trunk/manual/lod/core.xml - line 2298 about FollowSymLinks option.
>
> Could someone explain this sentence :
>
> "Omitting this option should not be considered a security restriction,
> since symlink testing is subject to race conditions that make it
> circumventable.
>
The second part reads ok to me -- buffer overrun or memory allocation
exhaustion... but the "restriction" word seems odd.
Should it perhaps be "should not be considered a security
(benefit|enhancement),..."
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: help for translation
Posted by Lucien GENTIS <lu...@lorraine.iufm.fr>.
Eric Covener a écrit :
>>>>> "Omitting this option should not be considered a security restriction,
>>>>> since symlink testing is subject to race conditions that make it
>>>>> circumventable.
>>>>>
>
>
>> "Omitting this option should not be considered a security enhancement,
>> because the time while testing symlinks can be subject to race conditions
>> and so the security measure taken omitting this option can be circumvented.
>>
>
> The end of this new sentence confuses me more then simply "race
> condition" in the original, but I do agree that "make it
> circumventable" could use some work.
>
> "Omitting this option should not be considered a security measure,
> because there remains a race condition in the span of time between
> checking that a path component is not a symlink and then subsequently
> using that path component."
>
> (a little redundant to explain "race condition")
>
>
Yes, I like this last sentence ; a little redundance is nether a bad thing.
All I've got left to do is translate it into french ;-)
Thanks to all for help
Lucien
--
Lucien GENTIS
IUFM de Lorraine
Centre de Ressources Informatiques
5, Rue Paul Richard
C.O. 3 - MAXEVILLE
54528 LAXOU-CEDEX
Tél. 03 83 17 68 41
Email : lucien.gentis@lorraine.iufm.fr
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: help for translation
Posted by Eric Covener <co...@gmail.com>.
>>>> "Omitting this option should not be considered a security restriction,
>>>> since symlink testing is subject to race conditions that make it
>>>> circumventable.
> "Omitting this option should not be considered a security enhancement,
> because the time while testing symlinks can be subject to race conditions
> and so the security measure taken omitting this option can be circumvented.
The end of this new sentence confuses me more then simply "race
condition" in the original, but I do agree that "make it
circumventable" could use some work.
"Omitting this option should not be considered a security measure,
because there remains a race condition in the span of time between
checking that a path component is not a symlink and then subsequently
using that path component."
(a little redundant to explain "race condition")
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: help for translation
Posted by Lucien GENTIS <lu...@lorraine.iufm.fr>.
Eric Covener a écrit :
> On Tue, Sep 30, 2008 at 7:59 PM, Jason Lingohr <ja...@lucid.net.au> wrote:
>
>> On 30/09/2008 12:28 AM, Lucien GENTIS wrote:
>>
>>> Hello to all,
>>>
>>> File trunk/manual/lod/core.xml - line 2298 about FollowSymLinks option.
>>>
>>> Could someone explain this sentence :
>>>
>>> "Omitting this option should not be considered a security restriction,
>>> since symlink testing is subject to race conditions that make it
>>> circumventable.
>>>
>>>
>> The second part reads ok to me -- buffer overrun or memory allocation
>> exhaustion... but the "restriction" word seems odd.
>>
>> Should it perhaps be "should not be considered a security
>> (benefit|enhancement),..."
>>
>
> Maybe "... security measure"
>
> Re: the 2nd part, AIUI the window between checking that a path
> component isn't a symlink then actually using the path component is
> what this is referring to, not some potential corruption issue in the
> server that would change the behavior.
>
>
Thanks for all answers ; yet I understand the sentence this way :
"Omitting this option should not be considered a security enhancement, because the time while testing symlinks can be subject to race conditions and so the security measure taken omitting this option can be circumvented.
Am i right ?
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: help for translation
Posted by Eric Covener <co...@gmail.com>.
On Tue, Sep 30, 2008 at 7:59 PM, Jason Lingohr <ja...@lucid.net.au> wrote:
> On 30/09/2008 12:28 AM, Lucien GENTIS wrote:
>> Hello to all,
>>
>> File trunk/manual/lod/core.xml - line 2298 about FollowSymLinks option.
>>
>> Could someone explain this sentence :
>>
>> "Omitting this option should not be considered a security restriction,
>> since symlink testing is subject to race conditions that make it
>> circumventable.
>>
>
> The second part reads ok to me -- buffer overrun or memory allocation
> exhaustion... but the "restriction" word seems odd.
>
> Should it perhaps be "should not be considered a security
> (benefit|enhancement),..."
Maybe "... security measure"
Re: the 2nd part, AIUI the window between checking that a path
component isn't a symlink then actually using the path component is
what this is referring to, not some potential corruption issue in the
server that would change the behavior.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org