"List & Send" hides symlinks but does not forbids them #927

Closed
Borkason opened this Issue Mar 24, 2013 · 1 comment

Comments

Projects
None yet
1 participant
@Borkason
Member

Borkason commented Mar 24, 2013

Original author: AnimusPE...@gmail.com (April 26, 2012 22:07:23)

What steps will reproduce the problem?

  1. Create rule with "List & Send" handler
  2. Uncheck "Allow symbolic links" checkbox
  3. Save settings and restart server
  4. Open in browser resource for which rule was created
  5. Insert in URL symlink name which definitely exists
  6. Hit enter.

What is the expected output?
404

What do you see instead?
UNIX root dir

What version of the product are you using? On what operating system?
Cherokee Web Server 1.2.101

Original issue: http://code.google.com/p/cherokee/issues/detail?id=1354

@Borkason

This comment has been minimized.

Show comment Hide comment
@Borkason

Borkason Mar 24, 2013

Member

From ste...@konink.de on June 08, 2012 16:29:05
The feature is actually under 'show', and it was in the past only hiding symlinks, there isn't even a check if the file is infact a symlink when serving it. We would have to figure out first if it is possible to check if a file is accessed via a symlink, or that the directory that is requested is a symlink.

I'll make this a feature request.

Member

Borkason commented Mar 24, 2013

From ste...@konink.de on June 08, 2012 16:29:05
The feature is actually under 'show', and it was in the past only hiding symlinks, there isn't even a check if the file is infact a symlink when serving it. We would have to figure out first if it is possible to check if a file is accessed via a symlink, or that the directory that is requested is a symlink.

I'll make this a feature request.

skinkie added a commit that referenced this issue Jan 9, 2014

Implement handler_file to forbid symlinks.
As of request I have modelled the way handler_common works as requested
in issue #927. Thus, if symlinks is disabled, requesting the file produces
a 404. This requires an extra lstat per request.

Fix #927

@skinkie skinkie closed this in #1099 Jan 10, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment