Summary: | mod_dav doesn't show symlinks | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Bastien Nocera <bnocera> |
Component: | mod_dav | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | NEW --- | ||
Severity: | major | CC: | ben.rubson, bnocera |
Priority: | P2 | ||
Version: | 2.4.16 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | FreeBSD |
Description
Bastien Nocera
2009-01-13 06:05:50 UTC
The traditional attitude to this type of issue has been that "the DAV repository" includes content which can be managed by mod_dav, and that does not include symlinks, so symlinks should not be exposed in PROPFIND results. (nor sockets, named pipes, etc) Simply saying "respect FollowSymlinks" is not really the whole story; we'd still have to decide e.g. how to handle symlinks which point outside the DAV repository, if turned off, for example. Also note that SymlinksIfOwnersMatch is not a security feature. Hello, Could we think about adding such feature to mod_dav please ? Module could keep its current behavior by default, and we could have an option : ShowSymLinks <yes|no> For security reasons, links would not have to be followed by server itself. So no risk to give a out-of repository file to the client. Symbolic links would simply have to be presented to the client, so that for example client would be able to duplicate them (duplicate these symbolic links as symbolic links on its local storage). I found a patch proposal which is unfortunately quite outdated today (2003 !) : http://marc.info/?l=dav-dev&m=105691033506577&w=3 Thank you very much ! Ben |