code & docs corrections for FollowSymLinks and SymLinksIfOwnerMatch

Tue, 12 Jun 2007 20:31:08 -0700 

Reading resolve_symlink() in server/request.c, it first checks
OPT_SYM_LINKS.  If OPT_SYM_LINKS is set, it never does the checks for link
ownership.  It checks link ownership only when OPT_SYM_OWNER is set and
OPT_SYM_LINKS is unset.

Based on this logic, the following changes should be made to the code and
documentation:

- 1 -

http://httpd.apache.org/docs/2.2/mod/core.html#options

Documentation for SymLinksIfOwnerMatch

Current Text: "The server will only follow symbolic links for which the
target file or directory is owned by the same user id as the link."

Corrected Text: "The server will follow symbolic links for which the target
file or directory is owned by the same user id as the link."

This change removes the word "only".  This changes is needed because if
FollowSymLinks is set, all sym links will be followed, even ones without the
same owner user id.


- 2 -

mod_rewrite.c lines 4461 to 4468 currently read:

    if (!(ap_allow_options(r) & (OPT_SYM_LINKS | OPT_SYM_OWNER))) {
        /* FollowSymLinks is mandatory! */
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                     "Options FollowSymLinks or SymLinksIfOwnerMatch is off
"
                     "which implies that RewriteRule directive is forbidden:
"
                     "%s", r->filename);
        return HTTP_FORBIDDEN;
    }

The options test is correct, however, the error message should be changed
to: "Options FollowSymLinks and SymLinksIfOwnerMatch are both off which
implies that RewriteRule directive is forbidden".  This message describes
what actually happens: RewriteEngine can currently be enabled if either
FollowSymlinks or SymLinksIfOwnerMatch is enabled.  It only displays the
error if both are disabled.


request.c lines 930 to 934 currently read:

            if (r->finfo.filetype
#ifdef CASE_BLIND_FILESYSTEM
                && (filename_len <= canonical_len)
#endif
                && ((opts.opts & (OPT_SYM_OWNER | OPT_SYM_LINKS)) ==
OPT_SYM_LINKS))


The last line should read

                && (opts.opts & OPT_SYM_LINKS) )

This change accurately reflects the logic of resolve_symlink(); if
OPT_SYM_LINKS is set, then the state of OPT_SYM_OWNER does not matter.


I will also be submitting a correction for the open attempt on
"../file.html/.htaccess", but I wanted to get this issue out of the way
first.

Allen

Reply via email to