www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel C. Stevenson" <dani...@media.mit.edu>
Subject general/2030: spelling error possibilities include files that shouldn't be seen
Date Thu, 21 May 1998 00:30:01 GMT
The following reply was made to PR general/2030; it has been noted by GNATS.

From: "Daniel C. Stevenson" <daniels@media.mit.edu>
To: brian@hyperreal.org
Cc: apbugs@Apache.Org
Subject: general/2030: spelling error possibilities include files that
 shouldn't be seen
Date: Wed, 20 May 1998 19:20:58 -0400

 >mod_autoindex does this as well - it will list the contents
 >of a directory regardless of what the actual permissions on
 >each file are.  This is the "expected" behavior for something
 
 It's not even the case of permissions on the file system level, but also
 permissions set by Apache. I have various configuration rules that deny
 requests for certain files. While moving them to another directory would be
 good, that doesn't solve the possible problem of the user finding the names
 of hidden directories. Or, in the case of a scripts directory, listing the
 name of every CGI script.
 
 In the end, I think the security concerns could be addressed by adding a
 3-state flag for the module. If the flag is 0, only when a single match is
 discovered is it returned; a 404 is returned otherwise. If the flag is 1,
 only a list of multiple matches are returned (not very usual, but good for
 completeness). If the flag is 2, single and multiple matches are returned,
 depending on what is appropriate.
 
 I recognize that the problem is not terribly serious or risky, and I don't
 mean to burden your time. I have been using and enjoying Apache since
 0.8.x, and I am very grateful for the excellent work the Apache Group has
 done.
 
 Dan Stevenson
 
 

Mime
View raw message