On Fri, 9 Nov 2001, Michael Douglass wrote: > I'd be weary of caching the lstat() information for more than the > current connection; you don't want someone to abuse that cache by > creating a symlink AFTER letting apache cache the information.
if an attacker can create symlinks they can just as easily copy /etc/passwd or other sensitive world-readable data. !FollowSymLinks is stupid anyhow, it should die. who even pretends that it helps system security? for perf reasons we changed httpd.conf ages ago to default to FollowSymLinks, and i bet 99% of the apaches out there run this way. years ago i suggested something such as <http://arctic.org/~dean/apache/1.3/mod_allowdev.c>. if you really think FollowSymLinks is useful then mod_allowdev probably makes even more sense. -dean