DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7764>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7764
Possible security problem
slive@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WONTFIX |
------- Additional Comments From slive@apache.org 2002-04-13 14:24 -------
Comment from Cliff Woolley (glad we have peer review ;-):
Actually, depending on how htpasswd is used, it might be possible to
construct some sort of a symlink attack to have arbitrary files corrupted.
It's not a bogus warning... it really should be fixed. I've been meaning
to do it for ages; htdigest was already fixed. htpasswd is more difficult
because the whole program needs to be APRized... there was a patch to do
this at one point written by Mladen Turk, but the patch was overkill IMO
(and that of the other people that reviewed it as I recall), so it never
got committed.
If it were up to me, I'd leave this bug listed as open to remind us to get
to this one day.
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7764>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7764
Possible security problem
slive@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WONTFIX |
------- Additional Comments From slive@apache.org 2002-04-13 14:24 -------
Comment from Cliff Woolley (glad we have peer review ;-):
Actually, depending on how htpasswd is used, it might be possible to
construct some sort of a symlink attack to have arbitrary files corrupted.
It's not a bogus warning... it really should be fixed. I've been meaning
to do it for ages; htdigest was already fixed. htpasswd is more difficult
because the whole program needs to be APRized... there was a patch to do
this at one point written by Mladen Turk, but the patch was overkill IMO
(and that of the other people that reviewed it as I recall), so it never
got committed.
If it were up to me, I'd leave this bug listed as open to remind us to get
to this one day.