#520 mod_http_files allows access outside of http_files_dir
Reporter
Zash
Owner
MattJ
Created
Updated
Stars
(0)
Tags
Milestone-0.9
Security
Type-Defect
Priority-High
Status-Fixed
Zash
on
mod_http_files assumes that paths are normalized, and appends them to the filesystem path.
Thus requesting a path like /files/../foo/bar serves up http_files_dir/../foo/bar
Zash
on
Changes
tagMilestone-0.9
tagStatus-Accepted
Zash
on
This was the one I was going to set as owned by MattJ, who did the fix for this.
mod_http_files assumes that paths are normalized, and appends them to the filesystem path. Thus requesting a path like /files/../foo/bar serves up http_files_dir/../foo/bar
This was the one I was going to set as owned by MattJ, who did the fix for this.
Changes