Author: vbart
Date: 2012-02-21 15:04:41 +0000 (Tue, 21 Feb 2012)
New Revision: 4488
Modified:
trunk/src/core/ngx_open_file_cache.c
Log:
Disable symlinks: don't allow creating or truncating files if "if_not_owner"
parameter is used.
To prevent race condition we have to open a file before checking its owner and
there's no way to change access flags for already opened file descriptor, so
we disable symlinks for the last path component at all if flags allow creating
or truncating the file.
Modified: trunk/src/core/ngx_open_file_cache.c
===================================================================
--- trunk/src/core/ngx_open_file_cache.c 2012-02-21 15:01:25 UTC (rev 4487)
+++ trunk/src/core/ngx_open_file_cache.c 2012-02-21 15:04:41 UTC (rev 4488)
@@ -678,7 +678,9 @@
goto failed;
}
- if (of->disable_symlinks == NGX_DISABLE_SYMLINKS_NOTOWNER) {
+ if (of->disable_symlinks == NGX_DISABLE_SYMLINKS_NOTOWNER
+ && !(create & (NGX_FILE_CREATE_OR_OPEN|NGX_FILE_TRUNCATE)))
+ {
fd = ngx_openat_file_owner(at_fd, p, mode, create, access, log);
} else {
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel