Correct a common misconception: symlink restrictions

are policy restrictions, not security restrictions. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@569000 13f79535-47bb-0310-9956-ffa450edef68
2026-01-06 09:01:14 +03:00 · 2007-08-23 14:04:27 +00:00
parent 480a0624c6
commit 0b8a5e9d45
2 changed files with 16 additions and 4 deletions
--- a/docs/manual/mod/core.html.en
+++ b/docs/manual/mod/core.html.en
@@ -2217,6 +2217,9 @@ directory</td></tr>
      <p>Note also, that this option <strong>gets ignored</strong> if set
      inside a <code class="directive"><a href="#location">&lt;Location&gt;</a></code>
      section.</p>
+      <p>Omitting this option should not be considered a security restriction,
+      since symlink testing is subject to race conditions that make it
+      circumventable.</p>
      </div></dd>

      <dt><code>Includes</code></dt>
@@ -2257,8 +2260,11 @@ directory</td></tr>
      target file or directory is owned by the same user id as the
      link.

-      <div class="note"><h3>Note</h3> This option gets ignored if
-      set inside a <code class="directive"><a href="#location">&lt;Location&gt;</a></code> section.</div>
+      <div class="note"><h3>Note</h3> <p>This option gets ignored if
+      set inside a <code class="directive"><a href="#location">&lt;Location&gt;</a></code> section.</p>
+      <p>This option should not be considered a security restriction,
+      since symlink testing is subject to race conditions that make it
+      circumventable.</p></div>
      </dd>
    </dl>

--- a/docs/manual/mod/core.xml
+++ b/docs/manual/mod/core.xml
@@ -2214,6 +2214,9 @@ directory</description>
      <p>Note also, that this option <strong>gets ignored</strong> if set
      inside a <directive type="section" module="core">Location</directive>
      section.</p>
+      <p>Omitting this option should not be considered a security restriction,
+      since symlink testing is subject to race conditions that make it
+      circumventable.</p>
      </note></dd>

      <dt><code>Includes</code></dt>
@@ -2254,9 +2257,12 @@ directory</description>
      target file or directory is owned by the same user id as the
      link.

-      <note><title>Note</title> This option gets ignored if
+      <note><title>Note</title> <p>This option gets ignored if
      set inside a <directive module="core"
-      type="section">Location</directive> section.</note>
+      type="section">Location</directive> section.</p>
+      <p>This option should not be considered a security restriction,
+      since symlink testing is subject to race conditions that make it
+      circumventable.</p></note>
      </dd>
    </dl>