[RFC] Apache::BlockSymLinks 0.1

[Charles John Brabec <br...@mosa.unity.ncsu.edu>]

Hi Folks,

I've got a situation that needed a solution. Say I have a directory in
my htdocs that contains:

   frames.html                - a document
   index.html -> frames.html  - a symbolic link
   hacker.txt -> /etc/passwd  - another symbolic link

I'd like to allow the index.html link to work, but deny the hacker.txt
one. Disallowing the FollowSymLinks option kills both links.  
SymLinksIfOwnerMatch option helps, but I have numerous authors
on my server so I cannot guarantee the same owner on each file.

Tried something like this:
   <Directory /usr/local/etc/httpd/htdocs>
      Order allow,deny
      Allow from all
   </Directory>
   <Directory />
      Order deny, allow
      Deny from all
   </Directory>
but a request for htdocs/hacker.txt doesn't seem to realize the
file is really in /etc, so it sends the file out. (Perhaps I 
missed something here?)

The solution I came up with is to write an access handler to 
evaluate symlinked filepaths and test the absolute path against
a set of rules. 

I called the module Apache::BlockSymLinks since it is based on
Apache::BlockAgent. The code can be downloaded from:
  http://mosa.unity.ncsu.edu/brabec/dist/Apache-BlockSymLinks-0.1.tar.gz
and the manpage is online at:
  http://mosa.unity.ncsu.edu/brabec/dist/BlockSymLinks.html

I'm considering adding this module to CPAN and/or the APML, so I'm
looking for comments. Specifically,
   is this useful to others?
   have I reinvented the wheel? 
   any suggestions for additions or modifications?

Thanks,
Charles

-- 
Dr. Charles J. Brabec  | He wants me to be clever. Worse, he wants me to be
Web Systems Programmer | seen to be clever by everyone here. -- Miles
brabec@ncsu.edu        | Vorkosigan (L.M. Bujold)
PH 919.513.0171        |