You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Stuart Gall <st...@otenet.gr> on 2005/08/21 12:56:03 UTC
[users@httpd] Strange problem with Options +Indexes
Hello,
As I understand it <Location something>
and <Directory something>
are equivalent except Location refers from the Document root
So I have apache 2.0.50 installed on Mandrake
In one of my virtual hosts I have
<Location />
Allow from all
</Location>
<Location /ppm/storyboard>
Options +Indexes
Allow from all **
</Location>
When I go to this location with a web browser I see the directory index
but with no files UNLESS
I also include
<Directory /document root>
Allow from all
</Directory>
I do not see any files listed.
Why do I need the double Allow from all ??
Or more interestingly if access to the location is denied why dont I
get a forbidden message instead of an empty listing ?
** Probably not necessary but I added this before I tried the Directory
Allow from all directive
TIA
-------------------------------------------------------------------
Stuart Gall
Systems Administrator
-------------------------------------------------------------------
No user serviceable parts inside? Ill be the judge of that!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Strange problem with Options +Indexes
Posted by André Malo <nd...@perlig.de>.
* Joshua Slive wrote:
> On 8/22/05, Stuart Gall <st...@otenet.gr> wrote:
> > > I haven't tested this myself, but my guess is that mod_autoindex
> > > (which generates the directory listings) is doing a file-level
> > > sub-request on each entry in the directory to see if it is
> > > accessible. For some reason this sub-request is not processing the
> > > <Location> sections, only the <Directory> sections.
> >
> > Makes sense.
> > A bug then, or perhaps a security feature?
>
> I think its a bug, but I'm not sure.
mod_autoindex does file based subrequests, which skip <Location> containers,
because <Location> doesn't work with files.
nd
--
Winnetous Erbe: <http://pub.perlig.de/books.html#apache2>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Strange problem with Options +Indexes
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Joshua Slive wrote:
> On 8/22/05, Stuart Gall <st...@otenet.gr> wrote:
>
>>>I haven't tested this myself, but my guess is that mod_autoindex
>>>(which generates the directory listings) is doing a file-level
>>>sub-request on each entry in the directory to see if it is accessible.
>>> For some reason this sub-request is not processing the <Location>
>>>sections, only the <Directory> sections.
>>
>>Makes sense.
>>A bug then, or perhaps a security feature?
>
> I think its a bug, but I'm not sure.
Well, it is a security feature to subrequest each of the files. Because
this is using a very optimized file subdir lookup, the full <Location>
tree might not be parsed.
It sounds like it could be a bug; but at the same time, you've hit on an
edge case which should be a reminder to never mix <Location >'s when you
really mean to call out either <Files > or <Directory >'s.
Bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Strange problem with Options +Indexes
Posted by Joshua Slive <js...@gmail.com>.
On 8/22/05, Stuart Gall <st...@otenet.gr> wrote:
> > I haven't tested this myself, but my guess is that mod_autoindex
> > (which generates the directory listings) is doing a file-level
> > sub-request on each entry in the directory to see if it is accessible.
> > For some reason this sub-request is not processing the <Location>
> > sections, only the <Directory> sections.
>
> Makes sense.
> A bug then, or perhaps a security feature?
I think its a bug, but I'm not sure.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Strange problem with Options +Indexes
Posted by Stuart Gall <st...@otenet.gr>.
On 21 Aug 2005, at 17:39, Joshua Slive wrote:
>
>
>>
>> So I have apache 2.0.50 installed on Mandrake
>
> A little bit of an old version.
>
OK It comes with mandrake 10.1 and I am a bit lazy :-)
The latest version is 2.0.54 and
http://ftp.physics.auth.gr/pub/mirrors/apache/httpd/CHANGES_2.0
doesn't mention anything relevant (AFAICS) between .50 and .54
Perhaps Ill upgrade and see.
>> In one of my virtual hosts I have
>>
>> <Location />
>> Allow from all
>> </Location>
>>
>> <Location /ppm/storyboard>
>> Options +Indexes
>> Allow from all **
>> </Location>
>>
>> When I go to this location with a web browser I see the directory
>> index
>> but with no files UNLESS
>> I also include
>>
>> <Directory /document root>
>> Allow from all
>> </Directory>
>>
>> I do not see any files listed.
>>
>> Why do I need the double Allow from all ??
>> Or more interestingly if access to the location is denied why dont I
>> get a forbidden message instead of an empty listing ?
>
> Interesting. If you request the files inside the directory directly,
> does it work?
Yes you can access the files. Accessing the files of course has nothing
to do with mod_autoindex.
It is as if the execute right is removed from the directory.
>
> I haven't tested this myself, but my guess is that mod_autoindex
> (which generates the directory listings) is doing a file-level
> sub-request on each entry in the directory to see if it is accessible.
> For some reason this sub-request is not processing the <Location>
> sections, only the <Directory> sections.
Makes sense.
A bug then, or perhaps a security feature?
> You still can see the directory itself because the main request is
> honoring the <Location> section.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
-------------------------------------------------------------------
Stuart Gall
Systems Administrator
-------------------------------------------------------------------
No user serviceable parts inside? Ill be the judge of that!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Strange problem with Options +Indexes
Posted by Joshua Slive <js...@gmail.com>.
On 8/21/05, Stuart Gall <st...@otenet.gr> wrote:
> Hello,
> As I understand it <Location something>
> and <Directory something>
> are equivalent except Location refers from the Document root
That's a gross (and potentially dangerous) oversimplification. See:
http://httpd.apache.org/docs/2.0/sections.html#file-and-web
for the true difference.
>
> So I have apache 2.0.50 installed on Mandrake
A little bit of an old version.
> In one of my virtual hosts I have
>
> <Location />
> Allow from all
> </Location>
>
> <Location /ppm/storyboard>
> Options +Indexes
> Allow from all **
> </Location>
>
> When I go to this location with a web browser I see the directory index
> but with no files UNLESS
> I also include
>
> <Directory /document root>
> Allow from all
> </Directory>
>
> I do not see any files listed.
>
> Why do I need the double Allow from all ??
> Or more interestingly if access to the location is denied why dont I
> get a forbidden message instead of an empty listing ?
Interesting. If you request the files inside the directory directly,
does it work?
I haven't tested this myself, but my guess is that mod_autoindex
(which generates the directory listings) is doing a file-level
sub-request on each entry in the directory to see if it is accessible.
For some reason this sub-request is not processing the <Location>
sections, only the <Directory> sections.
You still can see the directory itself because the main request is
honoring the <Location> section.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org