[pmwiki-users] protection against reading directories with truncated path

Waylan Limberg waylan at gmail.com
Wed Sep 14 11:40:25 CDT 2005


On 9/14/05, Stephan Schildberg <schildberg at scoid.de> wrote:
> Dear Hagan,
> 
> thank you.
> 
> >
> >    Order Deny,Allow
> >    Deny from all
> >
> >
> 
> If I do this,, its virtually locked up any pictures, -  no file renders
> on the screen, that's too secure, I need to show pictures, but not the
> bowels.
> 
> >The .htaccess file goes in your uploads/ directory.  You'll also want
> >to put the following line in your config.php file:
> >
> >    $EnableDirectDownload=0;
> >
> >
> 
> This solution meets my demand, no directory readout is possible any
> more.  :-)
> 
> regards, stephan.
> 

While that may work, Directory indexes are not disabled on the server.
If PmWiki breaks/fails etc...(perhaps with future changes/updates) 
they could reappear. As you don't want to deny all access to the files
in a dir, just the index (file listing) you should be able to turn it
off in Apache with the following in your .htaccess file:

Options -Indexes

I will add that you want to make sure you use the '-'. Without it, all
options defined would be overwritten and only Indexes would be turned
on. Thus using '-Indexes' leaves all other options in tact, but
removes, or turns off Indexes only - what you want. You can, of
course, use the other suggestions here to control PmWiki's behavior
when a directory listing or non-existent file is requested to keep
things pretty etc.

See the docs more more info on Apache's Options directive:
http://httpd.apache.org/docs/1.3/mod/core.html#options
If you'd like to leave Indexes, but customize them (say only allow
certain file types to display) check here:
http://httpd.apache.org/docs/1.3/mod/mod_autoindex.html#indexignore

-- 
----
Waylan Limberg
waylan at gmail.com




More information about the pmwiki-users mailing list