On Fri, Mar 16, 2012 at 9:58 AM, Plüm, Rüdiger, VF-Group <[email protected]> wrote: > > >> -----Original Message----- >> From: Nick Kew >> Sent: Freitag, 16. März 2012 14:50 >> To: [email protected] >> Subject: Re: printing r->filename for access denied errors >> >> On Fri, 16 Mar 2012 07:54:37 -0400 >> Eric Covener <[email protected]> wrote: >> >> > Seems like IRC users are often confused that permission denied errors >> > include the URI only and not the filesystem path. >> > >> > (They're convinced it's failing because httpd is looking in the wrong >> > place for /index.html, or they think we forgot to add a documentroot, >> > or have no idea where /foo/bar/baz is supposed to be in the >> > filesystem) >> > >> > Is there any harm in adding it? This is the rv from a stat in the >> > directory walk. >> >> Yes, there is harm. Exposing filesystem information will bring >> in a flood of vulnerability reports. Remember the kerfuffle we >> had about inodes appearing in etags? > > The vulenerability report about inodes in etags was because a HTTP client > could > read the inode information (Do not want to rehash the discussion here if this > is > really a vulnerability if a HTTP client retrieves this information). > In this case the information is kept on the server and only written to the > logfile. > I see no vulnerability here and IMHO "vulnerability" reports on this should > be easy to fend off. >
+1, I believe r->filename is already recorded in similar messages too (bad perms on opening file vs. bad perms in directory walk)
