quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Graham Dumpleton" <grah...@dscpl.com.au>
Subject Re: Bizarre behavior with util.redirect() and mod_autoindex
Date Fri, 15 Sep 2006 00:13:28 GMT
Mike Glover wrote ..
> Graham-
> 
> Here's the snippet out of .htaccess that's calling the handler:
> 
> <Files "bar.html">
>         PythonAccessHandler mpopenid::requireOpenIDAuth
>         PythonOption allowed-users "mike.glover.myopenid.com
> </Files>
> 
> As you can see, I was wrong about it being a PythonHandler -- I was looking
> at a different section of the file and got confused.  So I may be affected
> by the bug you posted, after all.

Having done some playing, my advice would be to turn off Indexes so
that mod_autoindex is never used in the first place. For all I can tell, it
acts like a spamming device that could cause much havoc if one is
using handlers other than the response handlers. The results could be
varied, but if session management is being done from authentication
handlers, it may cause lockups quite easily depending on how the
handlers are written.

The problem is that for every subdirectory and then every file in those
subdirectories, it will run all handler phases up to the fixup handler
phase. Thus it will trigger access, authentication, etc handlers. I can
only think it is doing it for stuff in the subdirectories to determine if
anything in the subdirectories is accessible and thus whether the actual
subdirectory should be displayed. This is a pretty brute force way of
doing it though.

What is more annoying is that I cant find a way by interrogating either
req.notes, or req.main.handler to determine if the sub request is being
triggered by mod_autoindex. Thus one couldn't easily protect against
just it. If one just bails if req.main is set, you could stop other things
from working and you would have to be very careful.

So, my recommendation would be that rather than try and code your
handler to cope with what mod_autoindex does, simply disable the
mod_autoindex module and use hand constructed index files. I just
can't believe how nasty what it does is.

Graham

Mime
View raw message