Description of problem: https://issues.apache.org/bugzilla/show_bug.cgi?id=45959 Version-Release number of selected component (if applicable): httpd-2.2.3.82 How reproducible: Steps to Reproduce: 1. Disallow Followsymlink at <Directory> directive. 2. allow SymlinkIfOwnerMatch at .htaccess. 3. create symlink to other ownered file that not permitted to own. 4. use SSI include into html Actual results: I can see content of other ownered file. Expected results: I can not see content of file. Additional info: A patch for this vulnerability has already been provided. Could you make the patch to httpd package for backport?
Yukihiko-san, Thank you for taking the time to enter a bug report with us. You mentioned the word "vulnerability", but as described in the documentation, "SymlinksIfOwnerMatch" is not a security feature. There are no plans to address this in Red Hat Enterprise Linux 5. http://httpd.apache.org/docs/2.2/mod/core.html#options We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution. If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain it receives the proper attention and prioritization to assure a timely resolution. For information on how to contact the Red Hat production support team, please visit: https://www.redhat.com/support/process/production/#howto