#520 mod_http_files allows access outside of http_files_dir

Reporter Zash
Owner MattJ
Created
Updated
Stars (0)  
Tags
  • Milestone-0.9
  • Status-Fixed
  • Type-Defect
  • Priority-High
  • Security
  1. Zash on

    mod_http_files assumes that paths are normalized, and appends them to the filesystem path. Thus requesting a path like /files/../foo/bar serves up http_files_dir/../foo/bar

  2. Zash on

    Changes
    • tag Milestone-0.9
    • tag Status-Accepted
  3. Zash on

    This was the one I was going to set as owned by MattJ, who did the fix for this.

    Changes
    • owner MattJ
    • tag -Hidden
    • tag Status-Fixed

New comment