Re: httpd symlinks
Jon Lewis (jlewis@inorganic5.chem.ufl.edu)
Tue, 5 Sep 1995 00:34:43 -0400
On Mon, 4 Sep 1995, Daniel S. Riley wrote:
> >> Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure
> >> about how CERN handles this). "SymLinksIfOwnerMatch" is only vaguely
> >> documented.
>
> SymLinksIfOwnerMatch, at least in NCSA httpd 1.4 through 1.5b3, is
> also broken. Here's the bug report I submitted to the ncsa-httpd
> team:
I was just fooling around and was shocked to find that
SymLinksIfOwnerMatch is totally broken in the version of Apache I've been
using. I created a symlink from a public_htm dir to / and was able to
see /. I downloaded/compiled the latest apache and did some testing of
SymLinksIfOwnerMatch with various versions of httpd I had handy and found
the following:
NCSA 1.3 works, even on double symlinks
Apache 0.6.2 works on symlinks, broken for double symlinks
Apache 0.8.8 broken for symlinks and double symlinks
Apache 0.8.11 works, even on double symlinks
By "works", I mean it gave a Forbidden message when the symlink was
tried...by "broken", I mean symlinks were followed when they should not
have been.
------------------------------------------------------------------
Jon Lewis | Mime attachments are OK
jlewis@inorganic5.chem.ufl.edu | But please ask before sending
http://inorganic5.chem.ufl.edu | unsolicited huge files.
|
_____Finger jlewis@inorganic5.chem.ufl.edu for PGP public key_____