DO NOT REPLY [Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive

Fri, 10 Oct 2008 19:29:05 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=45959


Paul B. Henson <[EMAIL PROTECTED]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |ASSIGNED




--- Comment #7 from Paul B. Henson <[EMAIL PROTECTED]>  2008-10-10 19:28:32 PST 
---
I stripped the configuration down to the bare minimum to demonstrate the
problem:

-------------------------------------
ServerRoot "/usr/pkg"
Listen 0.0.0.0:8080
LoadModule authz_host_module lib/httpd/mod_authz_host.so
LoadModule include_module lib/httpd/mod_include.so
LoadModule log_config_module lib/httpd/mod_log_config.so
LoadModule mime_module lib/httpd/mod_mime.so
User webservd
Group webservd
ServerAdmin [EMAIL PROTECTED]
ServerName www.csupomona.edu:8080
UseCanonicalName On
DocumentRoot "/usr/pkg/share/httpd/htdocs"
PidFile "/var/run/httpd-test.pid"
LockFile "/var/log/httpd/accept-test.lock"
<Directory />
        Options -FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
</Directory>
<Directory "/usr/pkg/share/httpd/htdocs">
        Options -FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
</Directory>
LogLevel warn
ErrorLog "/var/log/httpd/error-test_log"
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
CustomLog "/var/log/httpd/access-test_log" combined
AddOutputFilter INCLUDES .shtml
-------------------------------

The contents of /usr/pkg/share/httpd/htdocs are:

-rw-r--r--   1 root     root        2326 Jun 25 09:58 apache_pb.gif
-rw-r--r--   1 root     root        1385 Jun 25 09:58 apache_pb.png
-rw-r--r--   1 root     root        2410 Jun 25 09:58 apache_pb22.gif
-rw-r--r--   1 root     root        1502 Jun 25 09:58 apache_pb22.png
-rw-r--r--   1 root     root        2205 Jun 25 09:58 apache_pb22_ani.gif
-rw-r--r--   1 root     root          44 Jun 25 09:58 index.html
lrwxrwxrwx   1 root     root          32 Oct 10 17:01 secret.html ->
/usr/pkg/etc/httpd/htaccess-test
-rw-r--r--   1 root     root          39 Oct 10 16:55 test_ssi.shtml


The ownership/permissions of the file /usr/pkg/etc/httpd/htaccess-test are:

-rw-r-----   1 root     webservd      12 Oct 10
17:01/usr/pkg/etc/httpd/htaccess-test

(Note: in this case, the ownership of the actual file matches the ownership of
the symbolic link, but I changed the test configuration to "Options
-FollowSymLinks" so it should not be allowed regardless)

The contents of test_ssi.shtml are:

<!--#include virtual="secret.html" -->

To rule out any browser caching or idiosyncrasies, I tested by connecting
directly to the web server via telnet.

Attempting to access the symbolic link directly failed as expected:

-----
# telnet 0 8080
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
GET /secret.html HTTP/1.1
Host: www.csupomona.edu

HTTP/1.1 403 Forbidden
Date: Sat, 11 Oct 2008 00:03:08 GMT
Server: Apache/2.2.8 (Unix)
Content-Length: 213
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /secret.html
on this server.</p>
</body></html>
--------------

With the following in the access/error log:

127.0.0.1 - - [10/Oct/2008:17:03:08 -0700] "GET /secret.html HTTP/1.1" 403
213 "-" "-"

[Fri Oct 10 17:03:11 2008] [error] [client 127.0.0.1] Symbolic link not
allowed or link target not accessible:
/usr/pkg/share/httpd/htdocs/secret.html


However, accessing the SSI file did not result in any errors, and returned the
contents of the file pointed to by the symbolic link:

------
# telnet 0 8080
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
GET /test_ssi.shtml HTTP/1.1
Host: www.csupomona.edu

HTTP/1.1 200 OK
Date: Sat, 11 Oct 2008 00:04:12 GMT
Server: Apache/2.2.8 (Unix)
Accept-Ranges: bytes
Transfer-Encoding: chunked
Content-Type: text/plain

c
secret data

------

There was nothing in the error log, and only the following in the access log:

127.0.0.1 - - [10/Oct/2008:17:04:12 -0700] "GET /test_ssi.shtml HTTP/1.1"
200 13 "-" "-"



Ideally, I would expect the server-side include code to follow the same
configuration regarding symbolic links as accessing the links directly would.

Is this expected behavior? A bug? A problem with my configuration or
misunderstanding on my part?

Thanks...


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to