[pmwiki-users] protection against reading directories with truncated path
H. Fox
haganfox at users.sourceforge.net
Wed Sep 14 12:56:22 CDT 2005
[For some reason I didn't receive all of the messages in this thread.]
On 9/14/05, Waylan Limberg <waylan at gmail.com> wrote:
> On 9/14/05, Stephan Schildberg <schildberg at scoid.de> wrote:
> > Dear Hagan,
> >
> > thank you.
> >
> > >
> > > Order Deny,Allow
> > > Deny from all
> > >
> > >
> >
> > If I do this,, its virtually locked up any pictures, - no file renders
> > on the screen, that's too secure, I need to show pictures, but not the
> > bowels.
You needed to follow the rest of the directions...
> > >The .htaccess file goes in your uploads/ directory. You'll also want
> > >to put the following line in your config.php file:
> > >
> > > $EnableDirectDownload=0;
> > >
> > >
> >
> > This solution meets my demand, no directory readout is possible any
> > more. :-)
At the risk of over-repeating, you need BOTH the two-line .htaccess
file AND the entry in config.php.
One tells Apache not to serve the files directly, the other tells
PmWiki to handle serving them ("indirectly").
There's another alternative below: Let Apache serve them (don't put
the line in config.php) and merely disable listing the directory.
> > regards, stephan.
> >
>
> While that may work,
It doesn't give protection against reading directories. All it does
is make the uploaded files a little bit harder to find (you only need
to know they're in uploads/). Hence you need both the .htaccess file
and $EnableDirectDownload=0 in config.php to fully achieve the desired
effect.
> Directory indexes are not disabled on the server.
> If PmWiki breaks/fails etc...(perhaps with future changes/updates)
> they could reappear. As you don't want to deny all access to the files
> in a dir, just the index (file listing) you should be able to turn it
> off in Apache with the following in your .htaccess file:
>
> Options -Indexes
Unless I'm missing something,
Options -Indexes
Order Deny,Allow
Deny from all
and
Order Deny,Allow
Deny from all
have exactly the same effect, except if overriding Options is not
enabled the first one will generate an Internal Server Error (or
something like that). Because of that, the second one is more likely
to Just Work.
However, your suggestion is a good one -- probably better than mine
because it's simpler. If overriding Options is possible then you can
leave out the $EnableDirectDownload line in config.php and use a
single-line .htaccess file in uploads/ :
Options -Indexes
Hagan
More information about the pmwiki-users
mailing list