Red Hat Bugzilla – Bug 1006640
[ASF Bugzilla – Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive
Last modified: 2013-09-30 03:16:17 EDT
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Disallow Followsymlink at <Directory> directive.
2. allow SymlinkIfOwnerMatch at .htaccess.
3. create symlink to other ownered file that not permitted to own.
4. use SSI include into html
I can see content of other ownered file.
I can not see content of file.
A patch for this vulnerability has already been provided.
Could you make the patch to httpd package for backport?
Thank you for taking the time to enter a bug report with us. You mentioned the word "vulnerability", but as described in the documentation, "SymlinksIfOwnerMatch" is not a security feature. There are no plans to address this in Red Hat Enterprise Linux 5.
We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.
If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain it receives the proper attention and prioritization to assure a timely resolution.
For information on how to contact the Red Hat production support team, please visit: