Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes

To: 524474@bugs.debian.org
Subject: Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes
From: John Lightsey <lightsey@debian.org>
Date: Sat, 02 May 2009 21:27:34 -0500
Message-id: <[🔎] 1241317654.25658.14.camel@home>
Reply-to: John Lightsey <lightsey@debian.org>, 524474@bugs.debian.org

This shouldn't be tagged as a grave security issue.  The symlink tests
in Apache are trivial to overcome with timing attacks and the Apache
documentation explicitly states that the symlink tests should not be
considered a security restriction.

http://httpd.apache.org/docs/2.2/mod/core.html#options

John

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Processed: tagpending
Next by Date: Sulik.sk - Fico zil vzdy iba z cudzich penazi
Previous by thread: Processed: tagpending
Next by thread: Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes
Index(es):
- Date
- Thread