[nginx] svn commit: r4488 - trunk/src/core

vbart at nginx.com vbart at nginx.com
Tue Feb 21 15:04:42 UTC 2012


Author: vbart
Date: 2012-02-21 15:04:41 +0000 (Tue, 21 Feb 2012)
New Revision: 4488

Modified:
   trunk/src/core/ngx_open_file_cache.c
Log:
Disable symlinks: don't allow creating or truncating files if "if_not_owner"
parameter is used.

To prevent race condition we have to open a file before checking its owner and
there's no way to change access flags for already opened file descriptor, so
we disable symlinks for the last path component at all if flags allow creating
or truncating the file.


Modified: trunk/src/core/ngx_open_file_cache.c
===================================================================
--- trunk/src/core/ngx_open_file_cache.c	2012-02-21 15:01:25 UTC (rev 4487)
+++ trunk/src/core/ngx_open_file_cache.c	2012-02-21 15:04:41 UTC (rev 4488)
@@ -678,7 +678,9 @@
         goto failed;
     }
 
-    if (of->disable_symlinks == NGX_DISABLE_SYMLINKS_NOTOWNER) {
+    if (of->disable_symlinks == NGX_DISABLE_SYMLINKS_NOTOWNER
+        && !(create & (NGX_FILE_CREATE_OR_OPEN|NGX_FILE_TRUNCATE)))
+    {
         fd = ngx_openat_file_owner(at_fd, p, mode, create, access, log);
 
     } else {



More information about the nginx-devel mailing list