On Fri, 16 Mar 2012 07:54:37 -0400 Eric Covener <[email protected]> wrote:
> Seems like IRC users are often confused that permission denied errors > include the URI only and not the filesystem path. > > (They're convinced it's failing because httpd is looking in the wrong > place for /index.html, or they think we forgot to add a documentroot, > or have no idea where /foo/bar/baz is supposed to be in the > filesystem) > > Is there any harm in adding it? This is the rv from a stat in the > directory walk. Yes, there is harm. Exposing filesystem information will bring in a flood of vulnerability reports. Remember the kerfuffle we had about inodes appearing in etags? Maybe exposing it at loglevel debug would be a compromise? -- Nick Kew
