httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40217] - mod_dav ignores access restrictions when listing the contents of a directory
Date Wed, 09 Aug 2006 21:15:48 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40217>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40217


rpluem@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From rpluem@apache.org  2006-08-09 21:15 -------
(In reply to comment #2)
> I disagree that FilesMatch is not intended to hide files, mod_autoindex does not

In order to prevent files from showing up in a mod_autoindex listing and thus
hiding them, you should use IndexIgnore. I guess it is just because
mod_autoindex fails to detect the mime type of the file that it does not display
it. But this not really intentional.

> display files that match the above patter.  Moreover, you get a "403 
Forbidden"
> when trying to read a file that matches the FilesMatch pattern from any web

In this case you try to access the file itself. That is what filesmatch prevents
and should prevent. This is also prevented in the dav case. You can *see* the
files in Webdrive but you *cannot* access them.

> browser.  Again, everything *but* DAV honors the FilesMatch directive as
specified.

What do you mean by everything? I see only mod_autoindex and the behaviour there
is not intentional.

> 
> Anyway, if you don't think FilesMatch should be used in this way, how would you
> suggest preventing a DAV client from seeing access control files?  

This is not possible. Again think of the Unix filesystem permissions here. If
you want to prevent someone from *seeing* files in a directory you have to
revoke read permissions on this directory. The same is true for mod_dav. Seeing
a file is not a property or permission of the file, but of the directory or
better the collection in the dav case. But of course you can prevent people from
accessing the access control files via filesmatch.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message