You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/Readme.html
+16-4Lines changed: 16 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -212,11 +212,23 @@ <h3>XSendFilePath</h3>
212
212
<p>XSendFilePath allow you to add additional paths to some kind of white list. All files within these paths are allowed to get served through mod_xsendfile.</p>
213
213
<p>Provide an absolute path as Parameter to this directive.</p>
214
214
<p>You may provide more than one path.<p>
215
-
<h4>Remarks</h4>
216
-
<p>If you provide relative paths via the X-SendFile header, then all paths in this whitelist will be checked for a matching file.<br/>
217
-
Therefore take caution especially in shared environments.</p>
215
+
<h4>Remarks - Relative paths</h4>
218
216
<p>The current working directory (if it can be determined) will be always checked first.</p>
219
-
<p>The white list "inherits" entries for higher level configuration.<br/>
217
+
<p>If you provide relative paths via the X-SendFile header, then all whitelist items will be checked until a seamingly valid combination is found, i.e. the result is within the bounds of the whitelist item; it isn't checked at this point if the path in question actually exists.<br/>
218
+
Considering you whitelisted <code>/tmp/pool</code> and <code>/tmp/pool2</code> and your script working directory is <code>/var/www</code>.</p>
219
+
<p><code>X-SendFile: file</code></p>
220
+
<ol>
221
+
<li><code>/var/www/file</code> - Within bounds of <code>/var/www</code>, OK</li>
222
+
</ol>
223
+
<p><code>X-SendFile: ../pool2/file</code></p>
224
+
<ol>
225
+
<li><code>/var/www/../pool2/file = /var/pool2/file</code> - Not within bounds of <code>/var/www</code></li>
226
+
<li><code>/tmp/pool/../pool2/file = /tmp/pool2/file</code> - Not within bounds of <code>/tmp/pool</code></li>
227
+
<li><code>/tmp/pool2/../pool2/file = /tmp/pool2/file</code> - Within bounds of <code>/tmp/pool2</code>, OK</li>
228
+
</ol>
229
+
<p>You still can only access paths that are whitelisted. However you have might expect a different behavior here, hence the documentation.</p>
230
+
<h4>Remarks - Inheritance</h4>
231
+
<p>The white list "inherits" entries from higher level configuration.<br/>
0 commit comments