You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Nick Kew <ni...@webthing.com> on 2006/11/21 04:09:10 UTC

DirectoryIndex and FollowSymLinks

We spent some time fixing a bug on this.  Bugzilla still has
http://issues.apache.org/bugzilla/show_bug.cgi?id=14206

Checking the records, I see in CHANGES for /trunk/

  *) core: Do not allow internal redirects like the DirectoryIndex of
    mod_dir to circumvent the symbolic link checks imposed by
    FollowSymLinks and SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem,
    William Rowe]

But it doesn't appear to be backported, nor is there a proposal
in STATUS.

Does anyone recollect where we left this?  Were there still
loose ends that would make a backport problematic?


-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Re: DirectoryIndex and FollowSymLinks

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

Nick Kew wrote:
> We spent some time fixing a bug on this.  Bugzilla still has
> http://issues.apache.org/bugzilla/show_bug.cgi?id=14206
> 
> Checking the records, I see in CHANGES for /trunk/
> 
>   *) core: Do not allow internal redirects like the DirectoryIndex of
>     mod_dir to circumvent the symbolic link checks imposed by
>     FollowSymLinks and SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem,
>     William Rowe]
> 
> But it doesn't appear to be backported, nor is there a proposal
> in STATUS.
> 
> Does anyone recollect where we left this?  Were there still
> loose ends that would make a backport problematic?

Yes there were loose ends - thank you for pushing this back to the top
of the stack.  I disagreed that it's the entire/correct solution on the
first inspection, and need to go back to reviewing it today.

Thanks again for pointing this out!  We look ready to roll apr tomorrow
about noon, so this should be fixed in the next day or two before Jim
gets to rolling a 2.2.4!!!