Fix documentation

nmaier · Sep 16, 2010 · c94ee8f · c94ee8f
1 parent fa663cb
commit c94ee8f
Showing 1 changed file with 16 additions and 4 deletions.
diff --git a/docs/Readme.html b/docs/Readme.html
@@ -212,11 +212,23 @@ <h3>XSendFilePath</h3>
 <p>XSendFilePath allow you to add additional paths to some kind of white list. All files within these paths are allowed to get served through mod_xsendfile.</p>
 <p>Provide an absolute path as Parameter to this directive.</p>
 <p>You may provide more than one path.<p>
-<h4>Remarks</h4>
-<p>If you provide relative paths via the X-SendFile header, then all paths in this whitelist will be checked for a matching file.<br/>
-Therefore take caution especially in shared environments.</p>
+<h4>Remarks - Relative paths</h4>
 <p>The current working directory (if it can be determined) will be always checked first.</p>
-<p>The white list "inherits" entries for higher level configuration.<br/>
+<p>If you provide relative paths via the X-SendFile header, then all whitelist items will be checked until a seamingly valid combination is found, i.e. the result is within the bounds of the whitelist item; it isn't checked at this point if the path in question actually exists.<br/>
+Considering you whitelisted <code>/tmp/pool</code> and <code>/tmp/pool2</code> and your script working directory is <code>/var/www</code>.</p>
+<p><code>X-SendFile: file</code></p>
+<ol>
+  <li><code>/var/www/file</code> - Within bounds of <code>/var/www</code>, OK</li>
+</ol>
+<p><code>X-SendFile: ../pool2/file</code></p>
+<ol>
+  <li><code>/var/www/../pool2/file = /var/pool2/file</code> - Not within bounds of <code>/var/www</code></li>
+  <li><code>/tmp/pool/../pool2/file = /tmp/pool2/file</code> - Not within bounds of <code>/tmp/pool</code></li>
+  <li><code>/tmp/pool2/../pool2/file = /tmp/pool2/file</code> - Within bounds of <code>/tmp/pool2</code>, OK</li>  
+</ol>
+<p>You still can only access paths that are whitelisted. However you have might expect a different behavior here, hence the documentation.</p>
+<h4>Remarks - Inheritance</h4>
+<p>The white list "inherits" entries from higher level configuration.<br/>
 <pre>XSendFilePath /tmp
 &lt;VirtualHost *&gt;
 	ServerName someserver