You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/07/14 22:14:59 UTC
DO NOT REPLY [Bug 51510] New: AllowOverride "leakage"
https://issues.apache.org/bugzilla/show_bug.cgi?id=51510
Bug #: 51510
Summary: AllowOverride "leakage"
Product: Apache httpd-2
Version: 2.2.19
Platform: PC
OS/Version: FreeBSD
Status: NEW
Severity: regression
Priority: P2
Component: Core
AssignedTo: bugs@httpd.apache.org
ReportedBy: jarek@adeon.lublin.pl
Classification: Unclassified
Imagine that we've simple VirtualHost definition:
<VirtualHost 1.2.3.4:80>
(...)
<Directory /home/xxx/public_html>
AllowOverride AuthConfig FileInfo Indexes Limit
Options=Indexes,MultiViews,FollowSymLinks
Options +SymLinksIfOwnerMatch
</Directory>
</VirtualHost>
As you can see above, user should not have the ability to omit
SymLinksIfOwnerMatch in lower level context (like .htaccess).
SymLinksIfOwnerMatch is not typed in AllowOverride and defaulty enabled.
User should not have ability to read symlinks to other users' files.
Example #1:
echo "Options -SymLinksIfOwnerMatch" > /home/xxx/public_html/.htaccess
result: internal server error (correct)
Example #2:
echo "Options +FollowSymLinks" > /home/xxx/public_html/.htaccess
result: user is able to read symlinks to his own files (correct)
user is unable to read files owned by other users (correct)
Example #3:
echo "Options FollowSymLinks" > /home/xxx/public_html/.htaccess
result: SymLinksIfOwnerMatch is disabled!
User is able to read symlinks to files owned by other users!
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 51510] AllowOverride "leakage"
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51510
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Component|Core |Documentation
Resolution| |FIXED
--- Comment #1 from Eric Covener <co...@gmail.com> 2011-08-08 12:27:15 UTC ---
AllowOverride Options=xxx does not let you limit the effective value in some
lower level scope, so you can still "reset" all options by using the
non-relative syntax. This is the basic operation of the Options directive.
While there's nothing incorrect in the current doc, I added a note about the
significance of limiting what Options can be used.
http://svn.apache.org/viewvc?view=revision&revision=1154940
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org