In a recent note, Rado S said:
Date: Tue, 20 Feb 2007 14:25:57 +0100
=- Thomas Dickey wrote on Tue 20.Feb'07 at 7:50:54 -0500 -=
ok. Then if I made it do a readlink, the code would find that the
result is still in your own directory, and it could recur to run the
check on the link's target. That sounds reasonable - I simply hadn't
thought of symlinks when I modified HTInit.c to use IsOurFile().
For an alternate (and perhaps easier to implement) approach,
I believe an intermediate security setting in Apache permits
following symlinks only when the link and its target have
the same owner: lstat(); stat(); compare owner.