Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes
tags 524474 - security
severity 524474 important
thanks
On Sunday 03 May 2009, John Lightsey wrote:
> This shouldn't be tagged as a grave security issue. The symlink
> tests in Apache are trivial to overcome with timing attacks and the
> Apache documentation explicitly states that the symlink tests
> should not be considered a security restriction.
I agree. Especially considering that all 2.0.x and 2.2.x behaved in
this way.
Reply to: