abdera-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "william kelley (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ABDERA-398) Need simple subfolder access control to allow ONLY indirect access
Date Tue, 12 Aug 2014 14:11:12 GMT

    [ https://issues.apache.org/jira/browse/ABDERA-398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14094078#comment-14094078
] 

william kelley commented on ABDERA-398:
---------------------------------------

While there may be flaws in http protocol, this is clearly a bug report about the failure
of apache .htaccess to address a near universal problem.

When web sites are built, the use subfolders, and usually want to deny direct access to subfolders.
Specifically, subfolders with .css and .js, which are accessed from browsers in processing
html

Those accesses ARE distinguishable by HTT_REFERRER.

Yes, it can be spoofed, and yet it is there and is a 99% solution preventing access via legitimate
browser, robots, etc.

There is no way to say Deny access unless I'm the referrer.

Forgive me if I took for granted you actually understood the protocol.

This is a simple tool that IS available in the http protocol which apache only gives access
to via the most obscure of methods.
Make it simple.

It takes what, a day to fix?

> Need simple subfolder access control to allow ONLY indirect access
> ------------------------------------------------------------------
>
>                 Key: ABDERA-398
>                 URL: https://issues.apache.org/jira/browse/ABDERA-398
>             Project: Abdera
>          Issue Type: Bug
>    Affects Versions: 0.2.2, 0.3.0, 0.4.0, 1.0, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.2
>            Reporter: william kelley
>
> On the web I have found literally dozens of questions on this, and not one single simple
solution, and most web solutions dont (always) work. 
> Everyone has a need to prevent access to the wrong files, and usually can stick them
in a subfolder. Often you have no control on where the subfolder can be, meaning it is indeed
a subfolder of the web site root folder.
> What everyone wants, is to say, no one can DIRECTLY access subfolder foo,
> but my files, such as <root>/index.php CAN access foo.
> The allow/deny mechanism appears to have no way to say this, which is clearly where it
should be controlled.
> It appears if the allow/deny mechanism always treats access from
> request directly to foo folder
> exactly the same as
> request to index.php which accesses subfolder foo, which is the desired working route.
> Allow from <mysite.com> does not work, I'm guessing because allow can only test
the requesting ip/hostname.
> How hard is it to have a keyword for
> Deny <direct access>?
> or
> Allow <local access>?
> or
> AllowIndirect all
> or 
> Allow allIndirect
> or
> you are clever, pick what you like and make it easy to say.
> If I am missing something simple that "fixes" this, it is not from lack of spending days,
not hours, looking for this.
> Something this basic and universal should be able to be expressed by a not very expert
at all person, in one or two lines.
> I am a programmer of some decades, and I expect this could be fixed in a day, maybe 2,
by someone familiar with internals.
> If the solution is out there, it is well hidden.
> thanks for reading.
> Replies invited.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message