[pmwiki-users] protection against reading directories with truncated path

H. Fox haganfox at users.sourceforge.net
Wed Sep 14 12:56:22 CDT 2005


[For some reason I didn't receive all of the messages in this thread.]

On 9/14/05, Waylan Limberg <waylan at gmail.com> wrote:
> On 9/14/05, Stephan Schildberg <schildberg at scoid.de> wrote:
> > Dear Hagan,
> >
> > thank you.
> >
> > >
> > >    Order Deny,Allow
> > >    Deny from all
> > >
> > >
> >
> > If I do this,, its virtually locked up any pictures, -  no file renders
> > on the screen, that's too secure, I need to show pictures, but not the
> > bowels.

You needed to follow the rest of the directions...

> > >The .htaccess file goes in your uploads/ directory.  You'll also want
> > >to put the following line in your config.php file:
> > >
> > >    $EnableDirectDownload=0;
> > >
> > >
> >
> > This solution meets my demand, no directory readout is possible any
> > more.  :-)

At the risk of over-repeating, you need BOTH the two-line .htaccess
file AND the entry in config.php.

One tells Apache not to serve the files directly, the other tells
PmWiki to handle serving them ("indirectly").

There's another alternative below: Let Apache serve them (don't put
the line in config.php) and merely disable listing the directory.

> > regards, stephan.
> >
> 
> While that may work,

It doesn't give protection against reading directories.  All it does
is make the uploaded files a little bit harder to find (you only need
to know they're in uploads/).  Hence you need both the .htaccess file
and $EnableDirectDownload=0 in config.php to fully achieve the desired
effect.

> Directory indexes are not disabled on the server.
> If PmWiki breaks/fails etc...(perhaps with future changes/updates)
> they could reappear. As you don't want to deny all access to the files
> in a dir, just the index (file listing) you should be able to turn it
> off in Apache with the following in your .htaccess file:
> 
> Options -Indexes

Unless I'm missing something,

    Options -Indexes
    Order Deny,Allow
    Deny from all

and

    Order Deny,Allow
    Deny from all

have exactly the same effect, except if overriding Options is not
enabled the first one will generate an Internal Server Error (or
something like that).  Because of that, the second one is more likely
to Just Work.

However, your suggestion is a good one -- probably better than mine
because it's simpler.  If overriding Options is possible then you can
leave out the $EnableDirectDownload line in config.php and use a
single-line .htaccess file in uploads/ :

    Options -Indexes

Hagan




More information about the pmwiki-users mailing list