httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [PATCH] mod_autoindex and authorization [repost]
Date Tue, 28 May 2002 14:19:33 GMT
At 08:25 AM 5/28/2002, Francis Daly wrote:
>This is a repost of a patch sent in the thread "An unusual request"
>about a week ago.
>
>Between 1.3 and 2.0, the behaviour of mod_autoindex changed such that
>URLs for which the requester was not (yet) authorized did not appear
>in the generated listings. This patch allows the administrator
>configure, on a per-directory basis, whether or not to show the names
>of the authorization-requiring resources in that directory.

And the list generally agreed that the right fix is to configure a list
of HTTP result codes that the administrator will allow to be listed,
rather than the toggle you proposed.  But I haven't had time to hack
together an illustration, anyone who wants to is welcome to take a
stab at it.

>This patch introduces a config option which changes the
>behaviour of Options +Indexes. It potentially exposes names of
>authentication-requiring URLs to unauthenticated users. I've called
>the option "IndexOptions RevealSecretURL" to make sure that it isn't
>unintentionally enabled. It defaults to not set, which leaves behaviour
>as it currently is.
>
>It introduces a fake filename "^^UNAUTHORIZED^^" which can be used by
>AddIcon and AddAlt to enhance the display if IndexOptions FancyIndexing
>is also set, mirroring ^^DIRECTORY^^ and ^^BLANKICON^^. An UNAUTHORIZED
>DIRECTORY will appear UNAUTHORIZED, falling back to DefaultIcon. That
>could be changed to appear DIRECTORY by adding a filetype check just
>before setting the string ^^UNAUTHORIZED^^.

Very slick... I see lock icons popping up on my own sites really soon :-)

>It explicitly hides the file size and modification time of unauthorized
>resources. This differs from the behaviour of 1.3. Code already in
>find_title() ensures that IndexOptions ScanHTMLTitles won't reveal any
>content.

I'm asking myself what it matters?  If they want to include these resources
in the file list, why do we care that they show up without size/time stamps?
I suspect that working around this is overkill.



Mime
View raw message