Mercurial > hg > nginx-quic
comparison src/http/ngx_http_core_module.h @ 4477:7033faf6dc3c
Added disable_symlinks directive.
To completely disable symlinks (disable_symlinks on)
we use openat(O_NOFOLLOW) for each path component
to avoid races.
To allow symlinks with the same owner (disable_symlinks if_not_owner),
use openat() (followed by fstat()) and fstatat(AT_SYMLINK_NOFOLLOW),
and then compare uids between fstat() and fstatat().
As there is a race between openat() and fstatat() we don't
know if openat() in fact opened symlink or not. Therefore,
we have to compare uids even if fstatat() reports the opened
component isn't a symlink (as we don't know whether it was
symlink during openat() or not).
Default value is off, i.e. symlinks are allowed.
author | Andrey Belov <defan@nginx.com> |
---|---|
date | Mon, 13 Feb 2012 16:29:04 +0000 |
parents | d620f497c50f |
children | 13e09cf11d4e |
comparison
equal
deleted
inserted
replaced
4476:94ef9d25ec5b | 4477:7033faf6dc3c |
---|---|
400 ngx_uint_t gzip_proxied; /* gzip_proxied */ | 400 ngx_uint_t gzip_proxied; /* gzip_proxied */ |
401 | 401 |
402 #if (NGX_PCRE) | 402 #if (NGX_PCRE) |
403 ngx_array_t *gzip_disable; /* gzip_disable */ | 403 ngx_array_t *gzip_disable; /* gzip_disable */ |
404 #endif | 404 #endif |
405 #endif | |
406 | |
407 #if (NGX_HAVE_OPENAT) | |
408 ngx_uint_t disable_symlinks; /* disable_symlinks */ | |
405 #endif | 409 #endif |
406 | 410 |
407 ngx_array_t *error_pages; /* error_page */ | 411 ngx_array_t *error_pages; /* error_page */ |
408 ngx_http_try_file_t *try_files; /* try_files */ | 412 ngx_http_try_file_t *try_files; /* try_files */ |
409 | 413 |