*stat()-ing symlinks with trailing slashes
icy at lighttpd.net
icy at lighttpd.net
Sat May 23 17:51:34 UTC 2009
In lighttpd, the decision to process a request as fastcgi or static
file is configured by specifying either a prefix or suffix to match on
the requested path.
For example you say "if path ends with .php, process as fastcgi".
In order to find the correct file, lighty needs to open()/stat()
various combinations. Suppose you have a script foo.php and request
something like /foo.php/.
Then lighty needs to look for the file (dir) /foo.php/ and if not
present, /foo.php (php script with / as PATH_INFO).
A normal request will first hit a ENOTDIR for /foo.php/ and then
succeed at /foo.php (matching the suffix .php) and getting served as
fastcgi.
Now suppose you have a symbolic link bar.php linked to foo.php and
request /bar.php/
Without the bug in question, it should behave like the first example
but as it is now, the open("/bar.php/") succeeds, will not match the
suffix .php and therefor get served as a static file (sending out the
source code).
Lighty assumes that there can't be regular files that end in a / (and
even resolve to the same file without the slash).
We tested various systems and found that FreeBSD, OSX and Solaris < 10
are affected. Linux, Open/Net/DragonflyBSD, Solaris 10 are not affected.
I'm sure there are other applications (webservers), which too have a
problem with the described behaviour.
More information about the freebsd-fs
mailing list