https://issues.apache.org/bugzilla/show_bug.cgi?id=45959
Paul B. Henson <[EMAIL PROTECTED]> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
--- Comment #3 from Paul B. Henson <[EMAIL PROTECTED]> 2008-10-09 18:01:12 PST
---
Thanks for taking a look at this. However, include virtual appears to have the
exact same problem. Given the following files in my web home directory:
lrwxrwxrwx 1 henson csupomona 27 Oct 3 14:01 pass.html ->
/usr/pkg/etc/httpd/htpasswd
-rw-r--r-- 1 henson csupomona 37 Oct 9 17:50 test_ssi.shtml
If I attempt to access /~henson/pass.html, I receive "Forbidden You don't have
permission to access /~henson/pass.html on this server." as expected.
The contents of test_ssi.shtml are:
<!--#include virtual="pass.html" -->
When I access /~henson/test_ssi.shtml, the contents of
/usr/pkg/etc/httpd/htpasswd appear in my browser.
As far as I can tell, "include virtual" also appears to ignore the setting of
SymlinkIfOwnerMatch.
In addition, while you can enable includes without exec, I don't believe there
is a way to allow include virtual only, IncludesNoExec allows both file and
virtual includes. So even if include virtual respected SymlinkIfOwnerMatch
(which it appears not to, unless I am missing something), it would not resolve
the issue of being able to have SSI enabled on a server while preventing users
from serving content via symbolic links.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
