>Number: 480 >Category: mod_access >Synopsis: Symlinks still followed even if FollowSymLinks not in options >Confidential: no >Severity: serious >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Apr 24 14:40:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2b8 >Environment: AIX 4.2 and AIX 4.1.4 xlc 3.1.4 >Description: If user 'bob' has a symlink in '/u/bob/public_html', the link is followed even if: a. FollowSymLink is not in any option line b. SymLinkIfOwnerMatch is in the option line c. -FollowSymLink is included This is in the stanza: </Directory> <Directory /home/*/WWW> AllowOverride None Options Indexes Includes ExecCGI -FollowSymLinks SymLinksIfOwnerMatch <LIMIT get post> order deny,allow deny from all allow from .adp.wisc.edu .doit.wisc.edu </LIMIT> </Directory> (Note we use 'WWW' instead of 'public_html'
The symlink can be to '/' even and the link is followed, allowing the user to look at the entire directory tree. I apologize for this in the hope that I have made a config error. If this is not the case, then I believe this is a serious bug. >How-To-Repeat: I currently have no such links on any of my sites. If it is unreproducible on your site, please contact me and I will create such a link temporarily for you. Bob >Fix: >Audit-Trail: >Unformatted:
