We spent some time fixing a bug on this. Bugzilla still has
http://issues.apache.org/bugzilla/show_bug.cgi?id=14206
Checking the records, I see in CHANGES for /trunk/
*) core: Do not allow internal redirects like the DirectoryIndex of
mod_dir to circumvent the symbolic link checks imposed by
FollowSymLinks and SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem,
William Rowe]
But it doesn't appear to be backported, nor is there a proposal
in STATUS.
Does anyone recollect where we left this? Were there still
loose ends that would make a backport problematic?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
