summaryrefslogtreecommitdiff
path: root/src/stat_cache.c
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2016-07-30 02:10:44 -0400
committerGlenn Strauss <gstrauss@gluelogic.com>2016-07-30 02:10:44 -0400
commitacd5e450b5b913c5ebd179292f120d18ade0b184 (patch)
treeba05a98a8e1139b67464ff624b24aa6be0b9f3a1 /src/stat_cache.c
parent558bfc4e1e629688fc78d16b18413ff9802dc8f4 (diff)
downloadlighttpd1.4-acd5e450b5b913c5ebd179292f120d18ade0b184.tar.gz
lighttpd1.4-acd5e450b5b913c5ebd179292f120d18ade0b184.zip
[security] disable stat_cache if !follow-symlink (fixes #2724)
disable stat_cache if server.follow-symlink = "disable" if server.stat-cache-engine = "simple". Caching is still enabled for server.stat-cache-engine = "fam" since the FAM notification is almost immediate, however there is still a small race condition. NOTE: server.follow-symlink = "disable" implementation still has time-of-check versus time-of-use (ToC-ToU) race conditions and its use is *not recommended* except to discourage symlinking. It *does not* prevent symlinking by a determined attacker with the ability to create files on the server. server.stat-cache-engine = "disable" can also be used to discourage symlinking, and also does not eliminate ToC-ToU race conditions. While more modern systems might use openat() and other *at() routines to eliminate the ToC-ToU race conditions, this is not currently implemented in lighttpd. Besides, for systems needing such protections against actors able to modify local files, it would be better to set up multiple lighttpd servers running in separate user contexts with filesystem permissions preventing access, rather than giving a single lighttpd server running under a single lighttpd user access to files across security boundaries, and trying to prevent access by lighttpd user if a file is a symlink. Note that there are performance implications to setting either of server.follow-symlink = "disable" server.stat-cache-engine = "disable" since stat cache normally reduces filesystem overhead for frequently-accessed files. x-ref: "security: stat cache *very large* race condition if caching when follow_symlink disabled" https://redmine.lighttpd.net/issues/2724
Diffstat (limited to 'src/stat_cache.c')
-rw-r--r--src/stat_cache.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/stat_cache.c b/src/stat_cache.c
index 9464625f..cdf5a187 100644
--- a/src/stat_cache.c
+++ b/src/stat_cache.c
@@ -422,7 +422,7 @@ handler_t stat_cache_get_entry(server *srv, connection *con, buffer *name, stat_
if (buffer_is_equal(name, sce->name)) {
if (srv->srvconf.stat_cache_engine == STAT_CACHE_ENGINE_SIMPLE) {
- if (sce->stat_ts == srv->cur_ts) {
+ if (sce->stat_ts == srv->cur_ts && con->conf.follow_symlink) {
*ret_sce = sce;
return HANDLER_GO_ON;
}