Project

General

Profile

Feature #851

Feature Request: New option "x-send-file-docroot"

Added by Anonymous over 13 years ago. Updated over 3 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_fastcgi
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description


<?php
    $file = "/etc/passwd";
            header("Content-Type: text/plain");
            header("X-LIGHTTPD-send-file: ".$file);
            flush();
            exit();
?>

Do i need more explanation ?

"allow-x-send-file" => "enable" is a very good feature, but its a little bit too powerful. So, it would be nice to restrict this function to a separate doc-root (or the same as the doc-root of the specific vhosts)

P.S: Excuse my english, i am german (nobody is perfect ;))

-- eebkiller

#1

Updated by darix over 13 years ago

/etc/passwd is more or less not critical. at least on linux. /etc/shadow is more critical. but that should be root only. whoever runs his webserver as root should be shot in the first place.

anyway.... x-sendfile has other problems. what if the user creates a php script that symlinks /etc/shadow into his docroot?

i personally would say: only enable x-sendfile for trusted scripts. on mass hosting environments i would leave it off. And i really wonder if a check like that would put us on the same road as php's open_basedir.

jan do we want that? at the first sight, the code for that looks trivial.

#2

Updated by gstrauss almost 4 years ago

  • Description updated (diff)
  • Status changed from New to Patch Pending
  • Assignee deleted (jan)
  • Target version set to 1.4.40
#3

Updated by gstrauss over 3 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom