Bug 1006640 - [ASF Bugzilla – Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive
[ASF Bugzilla – Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
5.10
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Web Stack Team
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-10 21:44 EDT by Yukihiko Sawanobori
Modified: 2013-09-30 03:16 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-30 03:16:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Yukihiko Sawanobori 2013-09-10 21:44:01 EDT
Description of problem:

https://issues.apache.org/bugzilla/show_bug.cgi?id=45959

Version-Release number of selected component (if applicable):

httpd-2.2.3.82

How reproducible:


Steps to Reproduce:

1. Disallow Followsymlink at <Directory> directive. 
2. allow SymlinkIfOwnerMatch at .htaccess.
3. create symlink to other ownered file that not permitted to own.
4. use SSI include into html

Actual results:

I can see content of other ownered file.

Expected results:

I can not see content of file.

Additional info:

A patch for this vulnerability has already been provided.
Could you make the patch to httpd package for backport?
Comment 1 Joe Orton 2013-09-30 03:16:17 EDT
Yukihiko-san,

Thank you for taking the time to enter a bug report with us. You mentioned the word "vulnerability", but as described in the documentation, "SymlinksIfOwnerMatch" is not a security feature.  There are no plans to address this in Red Hat Enterprise Linux 5.

http://httpd.apache.org/docs/2.2/mod/core.html#options

We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain  it receives the proper attention and prioritization to assure a timely resolution. 

For information on how to contact the Red Hat production support team, please visit:

https://www.redhat.com/support/process/production/#howto

Note You need to log in before you can comment on or make changes to this bug.