Received: (qmail 92643 invoked by uid 501); 6 Jun 2000 19:38:18 -0000 Message-Id: <20000606193818.92641.qmail@locus.apache.org> Date: 6 Jun 2000 19:38:18 -0000 From: Dan Astoorian Reply-To: djast@cs.toronto.edu To: submit@bugz.apache.org Subject: mod_autoindex ignores setting of Options FollowSymLinks/SymLinksIfOwnerMatch X-Send-Pr-Version: 3.110 >Number: 6153 >Category: mod_autoindex >Synopsis: mod_autoindex ignores setting of Options FollowSymLinks/SymLinksIfOwnerMatch >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: apache >Arrival-Date: Tue Jun 06 12:40:00 PDT 2000 >Closed-Date: Tue Aug 07 07:23:46 PDT 2001 >Last-Modified: Tue Aug 07 07:23:46 PDT 2001 >Originator: djast@cs.toronto.edu >Release: 1.3.12 >Organization: >Environment: Any >Description: Directory indexing includes symbolic links, even if the FollowSymLinks or SymLinksIfOwnerMatch option is turned off. Thus, the indices output by the module include links to URLs which Apache should know will return a "403 Forbidden" error. It would be nice if mod_autoindex could decide based on the FollowSymLinks and SymLinksIfOwnerMatch options whether a symbolic link should be included in a directory listing. (Failing that, an IndexOptions keyword which could select the file types to be included in the listing might be useful.) >How-To-Repeat: Create a symbolic link under a document tree where FollowSymlinks and SymLinksIfOwnerMatch are off (or create a symbolic link belonging to a different user from the target where SymLinksIfOwnerMatch is on). Make sure "Options Indexes" is turned on. Get Apache to produce an index for the directory; it will include an entry for the symbolic link, but following the hyperlink will produce "403 Forbidden." >Fix: Have mod_autoindex check whether Apache would permit the symbolic link to be followed. Since doing so could potentially degrade performance (e.g., because checking SymLinksIfOwnerMatch would require Apache to stat() the target of the symlink in order to compare owners), add a keyword to IndexOptions controlling whether or not the check should be made (e.g., "IndexOptions +StrictSymLinks" or something similar). >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: wrowe State-Changed-When: Tue Aug 7 07:23:46 PDT 2001 State-Changed-Why: This should be fixed with the upcoming Apache 2.0.23. >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]