You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Bob Mikrut <bo...@doit.wisc.edu> on 1997/04/24 23:40:01 UTC

mod_access/480: Symlinks still followed even if FollowSymLinks not in options

>Number:         480
>Category:       mod_access
>Synopsis:       Symlinks still followed even if FollowSymLinks not in options
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Apr 24 14:40:01 1997
>Originator:     bob@doit.wisc.edu
>Organization:
apache
>Release:        1.2b8
>Environment:
AIX 4.2 and AIX 4.1.4 
xlc 3.1.4
>Description:
If user 'bob' has a symlink in '/u/bob/public_html', the link is
followed even if:
  a. FollowSymLink is not in any option line
  b. SymLinkIfOwnerMatch is in the option line
  c. -FollowSymLink is included
This is in the stanza:
</Directory>
<Directory /home/*/WWW>
AllowOverride None
Options Indexes Includes ExecCGI -FollowSymLinks SymLinksIfOwnerMatch
<LIMIT get post>
order deny,allow
deny from all
allow from .adp.wisc.edu .doit.wisc.edu
</LIMIT>
</Directory>
(Note we use 'WWW' instead of 'public_html'

The symlink can be to '/' even and the link is followed, allowing
the user to look at the entire directory tree.

I apologize for this in the hope that I have made a config error.
If this is not the case, then I believe this is a serious bug.
>How-To-Repeat:
I currently have no such links on any of my sites.
If it is unreproducible on your site, please contact me
and I will create such a link temporarily for you.

Bob
>Fix:

>Audit-Trail:
>Unformatted: