DO NOT REPLY [Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive

Wed, 29 Oct 2008 19:36:16 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=45959





--- Comment #9 from Paul B. Henson <[EMAIL PROTECTED]>  2008-10-29 19:35:52 PST 
---
I dug into this some more.

In the file request.c, the function ap_directory_walk contains the following
code:

    /* If we have a file already matches the path of r->filename,
     * and the vhost's list of directory sections hasn't changed,
             * we can skip rewalking the directory_walk entries.
             */
            if (cache->cached
                && ((r->finfo.filetype == APR_REG)
                    || ((r->finfo.filetype == APR_DIR)
                        && (!r->path_info || !*r->path_info)))
                && (cache->dir_conf_tested == sec_ent)
                && (strcmp(entry_dir, cache->cached) == 0)) {
                /* Well this looks really familiar!  If our end-result
(per_dir_result)
                 * didn't change, we have absolutely nothing to do :)
                 * Otherwise (as is the case with most
dir_merged/file_merged requests)
                 * we must merge our dir_conf_merged onto this new
r->per_dir_config.
                 */


                if (r->per_dir_config == cache->per_dir_result) {
                    return OK;
                }

                if (r->per_dir_config == cache->dir_conf_merged) {
                    r->per_dir_config = cache->per_dir_result;
                    return OK;
                }

When the SSI include is processed, either file or virtual, the check in the
last if statement shown above is true, and the function immediately returns OK
with no further processing.

If I comment out the section of code that checks for a cached entry, and force
it to fully process the request, the attempted inclusion of the symbolic link
fails:

[Wed Oct 29 19:30:50 2008] [error] [client 134.71.248.12] Symbolic link not
allowed or link target not accessible: /export/user/bldewolf/www/secrets3
[Wed Oct 29 19:30:50 2008] [error] [client 134.71.248.12] unable to include
"secrets3" in parsed file /export/user/bldewolf/www/test3.shtml


There appears to be an invalid assumption in this cache check, clearly behavior
is different if the subrequest is fully processed rather than using the cache.

I think this is a security bug, the configured restriction on symbolic link
handling is being bypassed by the cache optimization.

Please let me know what you think of this.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to