Hi,
We want to use the ngx_http_dav_module with the nginx server (1.21) on a linux machine.
For security reasons, we would like to forbid to follow symbol links (e.g. for the case of accidental symbol links to directories like root / ).
The nginx directive “disable_symlinks“ looked promising. It suppresses the download of files, but “MOVE” or “DELETE” seems not to be blocked.
Also the documentation says “ngx_http_autoindex_modulehttp://nginx.org/en/docs/http/ngx_http_autoindex_module.html, ngx_http_random_index_modulehttp://nginx.org/en/docs/http/ngx_http_random_index_module.html, and ngx_http_dav_modulehttp://nginx.org/en/docs/http/ngx_http_dav_module.html modules currently ignore this directive.”
Is this planned or resolved on some newer release branches – or are there other settings to achieve better protection?
Thanks for any hints!
Eckart
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org