On Sep 14, 2007, at 3:30 PM, Filip Hanik - Dev Lists wrote:
Costin Manolache wrote:
I'm not sure the security discussion is that simple, this seems
quite a
dangerous change.
Currently the user is restricted to the webapps/ directory
( well, he can
add a context
with the base in /etc and expose passwd I guess - but hopefully if
a deploy
tool is used
or some automation is done on adding webapps, it can be
controlled ). At
least this
introduces one more risk.
what does httpd do when you do set up an alias or document root for
the /etc directory?
Since it does, would that mean that httpd should not include the
Alias feature?
This is the same scenario, adding a useful feature, though it can
go wrong when when misconfigured, doesn't mean we shouldn't do it.
Tomcat already would allow you do to docBase=/etc"
so the risk already exists, and no, the user is not restricted to
the webapps directory.
httpd allows for not only following of symlinks but
also having content outside of DocumentRoot via
the Alias directive.
But, of course httpd has had this for ages, and the
core internals of httpd know how to handle the security
implications of both symlinks on the file system
and Aliases in the configuration... The question
is does this patch open any holes it shouldn't...
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
