You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by ht...@karsites.net on 2005/12/29 16:48:15 UTC

[users@httpd] Filename Access

Hi all.

When I setup a directory to forbid access to it, and to the 
files in the directory, I can still retrieve a file's 
contents if I know the full file name.

Is this normal behaviour - or can I block access to these 
unlisted files somehow?

Regards - Keith 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Filename Access

Posted by ht...@karsites.net.

I'm wondering if that could be the problem. Should it be 
possible to stop files being served by the server with the 
config I showed?
 
If so there must be some conflicts somewhere in my config 
files.


Keith



On Thu, 29 Dec 2005, Sean Davis wrote:

> To: users@httpd.apache.org
> From: Sean Davis <sd...@mail.nih.gov>
> Subject: Re: [users@httpd] Filename Access

> Since you say that you have a complicated, multifile 
> config, are you sure that you are actually reading this 
> config file?  Are you sure that you aren't later 
> overriding it with another directive on the same 
> directory?
> 
> Sean
k

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Filename Access

Posted by Sean Davis <sd...@mail.nih.gov>.



On 12/29/05 1:31 PM, "httpd2@karsites.net" <ht...@karsites.net> wrote:

> 
> Hi Sean.
> 
> I'm usiing Apache 2 on SuSE Linux 9.2 pro.
> 
> The config is split over many different files.
> 
> I include my own custom config file that has different
> directory settings, such as:
> 
> 
> <Directory /srv/www/htdocs/KAR/websites/test/PHP>
>     Options None
>     Order deny,allow
>     Deny from all
>     <Files *.php>
>         Order deny,allow
>         Deny from all
>     </Files>
> </Directory>
> 
> But I can still access a php file called get_vars.php
> in the forbidden directory that displays the content of the
> $_SERVER array:
> 
> <?php
> echo "<br />contents of \$_SERVER[] <br />";
> while(list($key, $value) = each($_SERVER))
>    {
>    echo "$key => $value <br />";
>    }
> ?>

I'm not an apache expert, so I might be missing an obvious problem with your
config file, but it looks OK at first glance.  Since you say that you have a
complicated, multifile config, are you sure that you are actually reading
this config file?  Are you sure that you aren't later overriding it with
another directive on the same directory?

Sean



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Filename Access

Posted by ht...@karsites.net.

Hi Sean.

I'm usiing Apache 2 on SuSE Linux 9.2 pro.

The config is split over many different files.

I include my own custom config file that has different 
directory settings, such as:


<Directory /srv/www/htdocs/KAR/websites/test/PHP>
    Options None
    Order deny,allow
    Deny from all
    <Files *.php>
        Order deny,allow
        Deny from all
    </Files>
</Directory>

But I can still access a php file called get_vars.php
in the forbidden directory that displays the content of the 
$_SERVER array:

<?php
echo "<br />contents of \$_SERVER[] <br />";
while(list($key, $value) = each($_SERVER))
   {
   echo "$key => $value <br />";
   }
?>

Keith
 

On Thu, 29 Dec 2005, Sean Davis wrote:

> To: users@httpd.apache.org
> From: Sean Davis <sd...@mail.nih.gov>
> Subject: Re: [users@httpd] Filename Access
> 
> It would be helpful if you let us know some details of the 
> config file that you are using for the directory of 
> interest.
> 
> Sean


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Filename Access

Posted by Sean Davis <sd...@mail.nih.gov>.



On 12/29/05 10:48 AM, "httpd2@karsites.net" <ht...@karsites.net> wrote:

> 
> Hi all.
> 
> When I setup a directory to forbid access to it, and to the
> files in the directory, I can still retrieve a file's
> contents if I know the full file name.
> 
> Is this normal behaviour - or can I block access to these
> unlisted files somehow?

Keith,

It would be helpful if you let us know some details of the config file that
you are using for the directory of interest.

Sean



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org