You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2002/05/16 03:30:13 UTC
Re: An unusual request
Chris,
I think this is a good direction. What about IndexResults [with a
default of 2xx/3xx]?
Shorthand would be #xx for a group [so you could include 2xx 3xx 4xx],
or explicit
response codes, say 200 only.
Bill
At 07:06 PM 5/15/2002, Chris Taylor wrote:
>Hi,
>
>I use Apache on my own machine for testing and development purposes and
>have recently upgraded from 1.3.22 to 2.0.36 (tonight in fact).
>
>In general, I'm very impressed with the new features, and my PHP execution
>speeds seem to have improved as well.
>
>However, there is one major gripe I have, and I hope you can help me with
>it. On my index page, I rely on Apache to index my folders there, and have
>used a README file to add a few aliases I have on to the bottom of this list.
>
>Under Apache 1.3.22 this all worked fine, but unfortunately the changes
>made to the auto-indexing system have ruined this somewhat in Apache 2.
>
>I note that in the changelogs you added this:
>
>*) mod_autoindex now excludes any file names that would result in
> an error, other than a success or redirect. Also optimized
> the parent directory, always included except in the URI '/'.
> [William Rowe]
>
>Unfortunately, this is not always a desirable situation (well, for me at
>least).
>
>If you look here: <http://harry-bo.dyndns.org/>http://harry-bo.dyndns.org/
>(Apache 1.3.22) and here
><http://harry-bo.dyndns.org:81/>http://harry-bo.dyndns.org:81/ (Apache
>2.0.36), the difference is obvious. By hiding pages that will produce an
>error it has hidden my passworded folders (or at least this is my
>assumption here?). This behaviour is somewhat undesirable, and I can
>imagine people with similar systems where they know of passworded folders
>but are happy to have them indexed would find this problematic.
>
>Basically, what I'm suggesting is that this feature be added as an option
>(possibly to IndexOptions?) to allow indexing of error-inducing pages
>under certain circumstances.
>
>Or possibly I've just missed the option already ;)
>
>Anyway, thanks for your time and keep up the good work.
>
>HB
Re: An unusual request [PATCH] mod_autoindex
Posted by Francis Daly <de...@daoine.org>.
On Wed, May 15, 2002 at 09:40:56PM -0400, Cliff Woolley wrote:
> On Wed, 15 May 2002, William A. Rowe, Jr. wrote:
>
> > I think this is a good direction. What about IndexResults [with a
> > default of 2xx/3xx]? Shorthand would be #xx for a group [so you could
> > include 2xx 3xx 4xx], or explicit response codes, say 200 only.
>
> +1. I never liked that we arbitrarily took away the 4xx's, especially
> 401. It should be up to the admin.
Vaguely related to this, the appended patch lets the admin allow 401s
through. I don't think may other 400-series errors want to passed
through at all?
Anyway, for your consideration:
This patch introduces a config option which changes the
behaviour of Options +Indexes. It potentially exposes names of
authentication-requiring URLs to unauthenticated users. I've called
the option "IndexOptions RevealSecretURL" to make sure that it isn't
unintentionally enabled. It defaults to not set, which leaves behaviour
as it currently is.
This patch does not address the concern raised earlier about the many
stat()s and subrequests made in an autoindex'ed directory containing
directories. I think changing that would require a different design
entirely.
It introduces a fake filename "^^UNAUTHORIZED^^" which can be used by
AddIcon and AddAlt to enhance the display if IndexOptions FancyIndexing
is also set, mirroring ^^DIRECTORY^^ and ^^BLANKICON^^. An UNAUTHORIZED
DIRECTORY will appear UNAUTHORIZED, falling back to DefaultIcon. That
could be changed to appear DIRECTORY by adding a filetype check just
before setting the string ^^UNAUTHORIZED^^.
It explicitly hides the file size and modification time of unauthorized
resources. This differs from the behaviour of 1.3. Code already in
find_title() ensures that IndexOptions ScanHTMLTitles won't reveal any
content.
Arguably, it should require AllowOverride AuthConfig too for use in
.htaccess, although that may need a new directive rather than a new
option to an existing directive.
===========
Docs for the IndexOptions RevealSecretURL option:
set or unset on a per-directory basis, just like the rest of
IndexOptions. Default unset overall.
If set, URLs for which valid authentication credentials have not
been presented will appear in autoindex-generated lists of directory
contents.
"^^UNAUTHORIZED^^" can be used as a filename for AddIcon or AddAlt,
if the default choices are inappropriate.
It's only useful in directories where only some files require
authentication; it will reveal to unauthenticated clients the names
of urls that require authentication. However, it also allows Options
+Indexes to work more like it used to in 1.3.
============
I'm sure someone with more imagination can come up with a better option
name.
Built and tested against the version of mod_autoindex released with
httpd-2.0.35, it applies cleanly to the version released with 2.0.36,
which appears to be the current version in CVS.
f
--
Francis Daly deva@daoine.org
--- modules/generators/mod_autoindex.c Fri Apr 5 18:50:37 2002
+++ modules/generators/mod_autoindex.c.new Thu May 16 22:36:38 2002
@@ -110,6 +110,7 @@
#define FANCY_INDEXING 0x2000
#define TABLE_INDEXING 0x4000
#define IGNORE_CLIENT 0x8000
+#define REVEAL_401 0x10000
#define K_NOADJUST 0
#define K_ADJUST 1
@@ -407,6 +408,9 @@
else if (!strcasecmp(w, "VersionSort")) {
option = VERSION_SORT;
}
+ else if (!strcasecmp(w, "RevealSecretURL")) {
+ option = REVEAL_401;
+ }
else if (!strcasecmp(w, "None")) {
if (action != '\0') {
return "Cannot combine '+' or '-' with 'None' keyword";
@@ -1316,7 +1320,9 @@
if ((rr->finfo.filetype != APR_DIR && rr->finfo.filetype != APR_REG)
|| !(rr->status == OK || ap_is_HTTP_SUCCESS(rr->status)
- || ap_is_HTTP_REDIRECT(rr->status))) {
+ || ap_is_HTTP_REDIRECT(rr->status)
+ || ( rr->status == HTTP_UNAUTHORIZED
+ && (autoindex_opts & REVEAL_401) ))) {
ap_destroy_sub_req(rr);
return (NULL);
}
@@ -1337,6 +1343,13 @@
p->key = apr_toupper(keyid);
p->ascending = (apr_toupper(direction) == D_ASCENDING);
p->version_sort = !!(autoindex_opts & VERSION_SORT);
+
+/* Now hide bits that don't need to be revealed */
+ if (rr->status == HTTP_UNAUTHORIZED) {
+ rr->finfo.mtime = -1;
+ rr->finfo.size = -1;
+ rr->filename = "^^UNAUTHORIZED^^";
+ }
if (autoindex_opts & (FANCY_INDEXING | TABLE_INDEXING)) {
p->lm = rr->finfo.mtime;
Re: An unusual request
Posted by Cliff Woolley <jw...@virginia.edu>.
On Wed, 15 May 2002, William A. Rowe, Jr. wrote:
> I think this is a good direction. What about IndexResults [with a
> default of 2xx/3xx]? Shorthand would be #xx for a group [so you could
> include 2xx 3xx 4xx], or explicit response codes, say 200 only.
+1. I never liked that we arbitrarily took away the 4xx's, especially
401. It should be up to the admin.
--Cliff
--------------------------------------------------------------
Cliff Woolley
cliffwoolley@yahoo.com
Charlottesville, VA