[pmwiki-users] protection against reading directories with truncated path
Waylan Limberg
waylan at gmail.com
Wed Sep 14 11:40:25 CDT 2005
On 9/14/05, Stephan Schildberg <schildberg at scoid.de> wrote:
> Dear Hagan,
>
> thank you.
>
> >
> > Order Deny,Allow
> > Deny from all
> >
> >
>
> If I do this,, its virtually locked up any pictures, - no file renders
> on the screen, that's too secure, I need to show pictures, but not the
> bowels.
>
> >The .htaccess file goes in your uploads/ directory. You'll also want
> >to put the following line in your config.php file:
> >
> > $EnableDirectDownload=0;
> >
> >
>
> This solution meets my demand, no directory readout is possible any
> more. :-)
>
> regards, stephan.
>
While that may work, Directory indexes are not disabled on the server.
If PmWiki breaks/fails etc...(perhaps with future changes/updates)
they could reappear. As you don't want to deny all access to the files
in a dir, just the index (file listing) you should be able to turn it
off in Apache with the following in your .htaccess file:
Options -Indexes
I will add that you want to make sure you use the '-'. Without it, all
options defined would be overwritten and only Indexes would be turned
on. Thus using '-Indexes' leaves all other options in tact, but
removes, or turns off Indexes only - what you want. You can, of
course, use the other suggestions here to control PmWiki's behavior
when a directory listing or non-existent file is requested to keep
things pretty etc.
See the docs more more info on Apache's Options directive:
http://httpd.apache.org/docs/1.3/mod/core.html#options
If you'd like to leave Indexes, but customize them (say only allow
certain file types to display) check here:
http://httpd.apache.org/docs/1.3/mod/mod_autoindex.html#indexignore
--
----
Waylan Limberg
waylan at gmail.com
More information about the pmwiki-users
mailing list