ngx_http_dav_module disable_symlink question
Eckart Haufler
Eckart.Haufler at rohde-schwarz.com
Tue Jul 26 07:39:29 UTC 2022
Hi,
We want to use the ngx_http_dav_module with the nginx server (1.21) on a linux machine.
For security reasons, we would like to forbid to follow symbol links (e.g. for the case of accidental symbol links to directories like root / ).
The nginx directive “disable_symlinks“ looked promising. It suppresses the download of files, but “MOVE” or “DELETE” seems not to be blocked.
Also the documentation says “ngx_http_autoindex_module<http://nginx.org/en/docs/http/ngx_http_autoindex_module.html>, ngx_http_random_index_module<http://nginx.org/en/docs/http/ngx_http_random_index_module.html>, and ngx_http_dav_module<http://nginx.org/en/docs/http/ngx_http_dav_module.html> modules currently ignore this directive.”
Is this planned or resolved on some newer release branches – or are there other settings to achieve better protection?
Thanks for any hints!
Eckart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20220726/50a51ba8/attachment.htm>
More information about the nginx-devel
mailing list