You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/07/14 22:14:59 UTC

DO NOT REPLY [Bug 51510] New: AllowOverride "leakage"

https://issues.apache.org/bugzilla/show_bug.cgi?id=51510

             Bug #: 51510
           Summary: AllowOverride "leakage"
           Product: Apache httpd-2
           Version: 2.2.19
          Platform: PC
        OS/Version: FreeBSD
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jarek@adeon.lublin.pl
    Classification: Unclassified


Imagine that we've simple VirtualHost definition:

<VirtualHost 1.2.3.4:80>
(...)
 <Directory /home/xxx/public_html>
 AllowOverride AuthConfig FileInfo Indexes Limit
Options=Indexes,MultiViews,FollowSymLinks
 Options +SymLinksIfOwnerMatch 
 </Directory>
</VirtualHost>

As you can see above, user should not have the ability to omit
SymLinksIfOwnerMatch in lower level context (like .htaccess).
SymLinksIfOwnerMatch is not typed in AllowOverride and defaulty enabled. 
User should not have ability to read symlinks to other users' files.


Example #1:
echo "Options -SymLinksIfOwnerMatch" > /home/xxx/public_html/.htaccess
result: internal server error (correct)


Example #2:
echo "Options +FollowSymLinks" > /home/xxx/public_html/.htaccess
result: user is able to read symlinks to his own files (correct)
user is unable to read files owned by other users (correct)


Example #3:
echo "Options FollowSymLinks" > /home/xxx/public_html/.htaccess
result: SymLinksIfOwnerMatch is disabled! 
User is able to read symlinks to files owned by other users!

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51510] AllowOverride "leakage"

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51510

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
          Component|Core                        |Documentation
         Resolution|                            |FIXED

--- Comment #1 from Eric Covener <co...@gmail.com> 2011-08-08 12:27:15 UTC ---
AllowOverride Options=xxx does not let you limit the effective value in some
lower level scope, so you can still "reset" all options by using the
non-relative syntax.  This is the basic operation of the Options directive.

While there's nothing incorrect in the current doc, I added a note about the
significance of limiting what Options can be used.

http://svn.apache.org/viewvc?view=revision&revision=1154940

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org