On Thu, Jul 20, 2006 at 11:01:08AM -0000, [EMAIL PROTECTED] wrote: > Author: rpluem > Date: Thu Jul 20 04:01:07 2006 > New Revision: 423886 > > URL: http://svn.apache.org/viewvc?rev=423886&view=rev > Log: > * Check for symbolic links of the target file in the optimized case that we > had already done this specific directory walk for this request. This can > happen when we have an internal redirect, like the ones caused by mod_dir > (/ -> index.html). See also > > http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/[EMAIL > PROTECTED] > > If we do not do this we have a security hole as the FollowSymLinks and > SymLinksIfOwnerMatch settings can circumvented this way.
I think it's a *very* bad idea to imply that SymLinksIfOwnerMatch is a security feature. If you did want to call this a "security feature" then you also need to fix the big fat race condition inbetween all those nice careful stat() calls and the default handler going to open the file. Which I doubt would be simple to say the least. I'd stay well clear of the word "security" here. joe
