Allowed directory change in username input #7
Description
What steps will reproduce the problem?
1. Specify the location of the user authentication file in the apache
configuration file as specified in the documentation for GoogleAuthUserPath to
something like: /var/lib/www/ga_auth
2. Create a user file such as "testaccess@someplace.org" in an incorrect
directory such as /var/lib/www. So that it is
/var/lib/www/testaccess@someplace.org.
3. At the Apache web authentication prompt, put as the username as
../testaccess@someplace.org
4. Enter the expected password and code in the password field.
What is the expected output? What do you see instead?
Expected response from the web server is to deny access and ignore the parent
path specifier in the username, as no file of testaccess@someplace.org exists
in /var/lib/www/ga_auth as specified in GoogleAuthUserPath. However, login is
successful and the file outside the specified GoogleAuthUserPath is read and
accepted anyways.
What version of the product are you using? On what operating system?
R21 on CentOS 6.4 with Apache 2.2.15.
Original issue reported on code.google.com by James.Ha...@gmail.com on 10 Oct 2013 at 4:43