httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: 1.2b1 status
Date Thu, 28 Nov 1996 04:58:16 GMT
On Wed, 27 Nov 1996, Alexei Kosut wrote:
> On Wed, 27 Nov 1996, Rob Hartill wrote:
> 
> > 	Security hole: [Brian] - Directory contents can be displayed
> > 	when a index.html file is supposed to be 'protecting' the directory
> > 	from view, this is due to a problem with negotiation/Multiviews/mod_dir
> > 	when the client doesn't accept text/html.
> > 	(Brian says this is a 1.2 showstopper (he didn't say 1.2b1)
> 
> I think it's a 1.2b1 showstopper. At any rate, I've enclosed a
> fix. 

The patch works great.  Once again Alexei steps in to save the day.  :)  I +1
it.  If someone else wants to +1 it just as a sanity check, it can go in, and I
don't see a reason to not release a 1.2b1 tarball on schedule. 

> Now, the current behavior *could* be used as a feature. For example,
> if I wanted members of a certain domain to view directories, but
> everyone else to get specific index files, I could make the index
> files forbidden to that specific domain (deny them access) - this
> would cause mod_dir currently to serve directory listings.

Yeah, but even if I were to be so devilish as to do this, I'd probably still
want people who got the directory listings to be able to get the index.html,
etc.  

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS



Mime
View raw message