https://redmine.ruby-lang.org/https://redmine.ruby-lang.org/favicon.ico?17113305112019-05-07T12:30:29ZRuby Issue Tracking SystemRuby master - Bug #15835: Path traversal symlink - WEBrickhttps://redmine.ruby-lang.org/issues/15835?journal_id=779452019-05-07T12:30:29Znaruse (Yui NARUSE)naruse@airemix.jp
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Feedback</i></li></ul><p>On Apache with <code>FollowSymLinks</code> enabled, it can traverse out of DocumentRoot.<br>
hxxps://httpd.apache.org/docs/2.4/en/urlmapping.html<br>
Therefore it's not a problem.</p> Ruby master - Bug #15835: Path traversal symlink - WEBrickhttps://redmine.ruby-lang.org/issues/15835?journal_id=779592019-05-08T15:04:03Zshevegen (Robert A. Heiler)shevegen@gmail.com
<ul></ul><p>While I agree with naruse, it may be worthwhile to mention this briefly at e. g.<br>
<a href="https://ruby-doc.org/stdlib/libdoc/webrick/rdoc/WEBrick.html" class="external">https://ruby-doc.org/stdlib/libdoc/webrick/rdoc/WEBrick.html</a> - it could still surprise<br>
users so it could be useful to mention it; perhaps at the section "WEBrick can be run<br>
as a production server for small loads.".</p>
<p>As writing documentation is always a bit tedious, I will try my luck with a slight<br>
modification to it here, from:</p>
<p>"WEBrick can be run as a production server for small loads. Be aware that symlinks<br>
might allow users to view data outside of the designated root directory, such as<br>
for the Apache webserver with the FollowSymlinks option enabled".</p>
<p>Not sure if this is great but I just wanted to provide a bit of text - perhaps it<br>
can help others adapt it and write an improved documentation; it's just a suggestion.</p> Ruby master - Bug #15835: Path traversal symlink - WEBrickhttps://redmine.ruby-lang.org/issues/15835?journal_id=807282019-08-14T03:06:48Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li></ul>