[Bug 56531] New: FollowSymLinks allows serving files from root file system

bugzilla Fri, 16 May 2014 15:56:31 -0700

https://issues.apache.org/bugzilla/show_bug.cgi?id=56531


            Bug ID: 56531
           Summary: FollowSymLinks allows serving files from root file
                    system
           Product: Apache httpd-2
           Version: 2.4.9
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: [email protected]
          Reporter: [email protected]

I assumed having a <Directory /> block with Options None and Require all denied
would be enough to prevent Apache from serving files from the file system root,
but it does not. A symlink in /var/www/ pointing to /etc/ allows serving files
from /etc/. One can of course use SymLinksIfOwnerMatch, but I find the current
behavior still somewhat dangerous especially since Linux distros come with
FollowSymLinks enabled by default and it's also recommended for performance.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 56531] New: FollowSymLinks allows serving files from root file system

Reply via email to