>Number: 920 >Category: documentation >Synopsis: Advise an htaccess file in /... >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: doc-bug >Submitter-Id: apache >Arrival-Date: Fri Jul 25 17:00:02 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 25 July, 1996 >Environment: Doesn't matter, but Solaris 2.5... >Description: As http://www.apache.org/docs/mod/core.html#options states that with FollowSymLinks, the directory isn't re-written and compared. Thus, if a user does something like `ln -s / root' in the right place, folks can walk the directory tree.
This isn't a big deal for places (like us) which give CGI access, but your docs advise a <directory /> deny... </directory> clause already. The User* bit in 1.3 is a nice idea, but a single-line htaccess (deny from all) is simpler. And some folks here already cross-link in the file system, so I can't use SymLinksIfOwnerMatch. Of course, this assumes you allow htaccess files under user directories. >How-To-Repeat: >Fix: Eh, it's not a huge deal. No response necessary, either >Audit-Trail: >Unformatted:
