> -----Original Message----- > From: Nick Kew > Sent: Freitag, 16. März 2012 14:50 > To: dev@httpd.apache.org > Subject: Re: printing r->filename for access denied errors > > On Fri, 16 Mar 2012 07:54:37 -0400 > Eric Covener <cove...@gmail.com> wrote: > > > Seems like IRC users are often confused that permission denied errors > > include the URI only and not the filesystem path. > > > > (They're convinced it's failing because httpd is looking in the wrong > > place for /index.html, or they think we forgot to add a documentroot, > > or have no idea where /foo/bar/baz is supposed to be in the > > filesystem) > > > > Is there any harm in adding it? This is the rv from a stat in the > > directory walk. > > Yes, there is harm. Exposing filesystem information will bring > in a flood of vulnerability reports. Remember the kerfuffle we > had about inodes appearing in etags?
The vulenerability report about inodes in etags was because a HTTP client could read the inode information (Do not want to rehash the discussion here if this is really a vulnerability if a HTTP client retrieves this information). In this case the information is kept on the server and only written to the logfile. I see no vulnerability here and IMHO "vulnerability" reports on this should be easy to fend off. Regards Rüdiger
