On 10/31/2012 06:00 AM, Eric Covener wrote:
In general that is the proper form -- but this particular issue is
documented as a limitation:
"Omitting this option should not be considered a security restriction,
since symlink testing is subject to race conditions that make it
circumventable."
Some users (like Bluehost) require the functionality of symlinks without
the possibility of server side vulnerabilities. Having the vulnerability
documented doesn't keep servers safe. The patch I submitted allows httpd
to use symlinks in a protected fashion that doesn't allow for users to
serve arbitrary files.
I'll go ahead and submit a more detailed email to the security. More
feedback from the devs is appreciated.
--
Eric Jacobs
Junior Systems Administrator
Bluehost.com
