https://bz.apache.org/bugzilla/show_bug.cgi?id=49439
--- Comment #11 from [email protected] --- (In reply to Witold Baryluk from comment #8) > (In reply to comment #7) > > Can you give a repro case with the simplest possible configuration for this? > > I already given reproduction case. It is very simple case. I cannot minimize > it in any way. It really is just few files to be put in clean installation > (preferably Debian), with php5-cgi as example and eventually edit them to > make username be proper. I can try using pure cgi without fcgi, and trying > to run some simple bash cgi, without php if you wish. > > > > > It's not obvious to me why unconditionally propagating the userdir identity > > from a subrequest to the main request (which may be of a URI outside > > userdir-enabled space) is a good idea. > > This is exactly a comment I was waiting for! I was sure that there are some > cases it is bad. > > As I understand subrequest will be made on redirect/rewrite or server > includes right? > > Even then I do not think it is much unsafe, as when using suexec whole > server is already running as root, or www-data, which have quite big > permission to all files. So changing uid cannot make it worse, in my > opinion. It will not give access to more that it already have. (Becuase most > often www-data already have read permiossion to most user files). But of > course if it would be possible to switch by one user to other's user UID > then indeeded, things like deleting others file would be a problem. > > When this "switch" happens? > On server includes? (i do not exactly understand what is "subrequest" > unfortunetly). > Can subrequests be done recursivly? (subrequest of subrequest?). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
