httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [PATCH] mod_autoindex and authorization [repost]
Date Tue, 28 May 2002 14:19:33 GMT
At 08:25 AM 5/28/2002, Francis Daly wrote:
>This is a repost of a patch sent in the thread "An unusual request"
>about a week ago.
>Between 1.3 and 2.0, the behaviour of mod_autoindex changed such that
>URLs for which the requester was not (yet) authorized did not appear
>in the generated listings. This patch allows the administrator
>configure, on a per-directory basis, whether or not to show the names
>of the authorization-requiring resources in that directory.

And the list generally agreed that the right fix is to configure a list
of HTTP result codes that the administrator will allow to be listed,
rather than the toggle you proposed.  But I haven't had time to hack
together an illustration, anyone who wants to is welcome to take a
stab at it.

>This patch introduces a config option which changes the
>behaviour of Options +Indexes. It potentially exposes names of
>authentication-requiring URLs to unauthenticated users. I've called
>the option "IndexOptions RevealSecretURL" to make sure that it isn't
>unintentionally enabled. It defaults to not set, which leaves behaviour
>as it currently is.
>It introduces a fake filename "^^UNAUTHORIZED^^" which can be used by
>AddIcon and AddAlt to enhance the display if IndexOptions FancyIndexing
>is also set, mirroring ^^DIRECTORY^^ and ^^BLANKICON^^. An UNAUTHORIZED
>DIRECTORY will appear UNAUTHORIZED, falling back to DefaultIcon. That
>could be changed to appear DIRECTORY by adding a filetype check just
>before setting the string ^^UNAUTHORIZED^^.

Very slick... I see lock icons popping up on my own sites really soon :-)

>It explicitly hides the file size and modification time of unauthorized
>resources. This differs from the behaviour of 1.3. Code already in
>find_title() ensures that IndexOptions ScanHTMLTitles won't reveal any

I'm asking myself what it matters?  If they want to include these resources
in the file list, why do we care that they show up without size/time stamps?
I suspect that working around this is overkill.

View raw message