You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Francis Daly <de...@daoine.org> on 2002/05/28 15:25:29 UTC

[PATCH] mod_autoindex and authorization [repost]

This is a repost of a patch sent in the thread "An unusual request"
about a week ago.

Between 1.3 and 2.0, the behaviour of mod_autoindex changed such that
URLs for which the requester was not (yet) authorized did not appear
in the generated listings. This patch allows the administrator
configure, on a per-directory basis, whether or not to show the names
of the authorization-requiring resources in that directory.


This patch introduces a config option which changes the
behaviour of Options +Indexes. It potentially exposes names of
authentication-requiring URLs to unauthenticated users. I've called
the option "IndexOptions RevealSecretURL" to make sure that it isn't
unintentionally enabled. It defaults to not set, which leaves behaviour
as it currently is.

It introduces a fake filename "^^UNAUTHORIZED^^" which can be used by
AddIcon and AddAlt to enhance the display if IndexOptions FancyIndexing
is also set, mirroring ^^DIRECTORY^^ and ^^BLANKICON^^. An UNAUTHORIZED
DIRECTORY will appear UNAUTHORIZED, falling back to DefaultIcon. That
could be changed to appear DIRECTORY by adding a filetype check just
before setting the string ^^UNAUTHORIZED^^.

It explicitly hides the file size and modification time of unauthorized
resources. This differs from the behaviour of 1.3. Code already in
find_title() ensures that IndexOptions ScanHTMLTitles won't reveal any
content.

Arguably, it should require AllowOverride AuthConfig too for use in
.htaccess, although that may need a new directive rather than a new
option to an existing directive.

===========

Docs for the IndexOptions RevealSecretURL option:

set or unset on a per-directory basis, just like the rest of
IndexOptions. Default unset overall. 

If set, URLs for which valid authentication credentials have not
been presented will appear in autoindex-generated lists of directory
contents.

"^^UNAUTHORIZED^^" can be used as a filename for AddIcon or AddAlt, 
if the default choices are inappropriate.

It's only useful in directories where only some files require
authentication; it will reveal to unauthenticated clients the names
of urls that require authentication. However, it also allows Options
+Indexes to work more like it used to in 1.3.

============

I'm sure someone with more imagination can come up with a better option
name.

Built and tested against the version of mod_autoindex released with
httpd-2.0.35, it applies cleanly to the version released with 2.0.36,
and also to the current version in CVS.

	f
-- 
Francis Daly        deva@daoine.org


--- modules/generators/mod_autoindex.c	Fri Apr  5 18:50:37 2002
+++ modules/generators/mod_autoindex.c.new	Thu May 16 22:36:38 2002
@@ -110,6 +110,7 @@
 #define FANCY_INDEXING      0x2000
 #define TABLE_INDEXING      0x4000
 #define IGNORE_CLIENT       0x8000
+#define REVEAL_401         0x10000
 
 #define K_NOADJUST 0
 #define K_ADJUST 1
@@ -407,6 +408,9 @@
         else if (!strcasecmp(w, "VersionSort")) {
             option = VERSION_SORT;
         }
+        else if (!strcasecmp(w, "RevealSecretURL")) {
+            option = REVEAL_401; 
+        } 
         else if (!strcasecmp(w, "None")) {
             if (action != '\0') {
                 return "Cannot combine '+' or '-' with 'None' keyword";
@@ -1316,7 +1320,9 @@
 
     if ((rr->finfo.filetype != APR_DIR && rr->finfo.filetype != APR_REG)
         || !(rr->status == OK || ap_is_HTTP_SUCCESS(rr->status)
-                              || ap_is_HTTP_REDIRECT(rr->status))) {
+                              || ap_is_HTTP_REDIRECT(rr->status)
+                              || ( rr->status == HTTP_UNAUTHORIZED 
+                                  && (autoindex_opts & REVEAL_401) ))) {
         ap_destroy_sub_req(rr);
         return (NULL);
     }
@@ -1337,6 +1343,13 @@
     p->key = apr_toupper(keyid);
     p->ascending = (apr_toupper(direction) == D_ASCENDING);
     p->version_sort = !!(autoindex_opts & VERSION_SORT);
+
+/* Now hide bits that don't need to be revealed */
+    if (rr->status == HTTP_UNAUTHORIZED) {
+        rr->finfo.mtime = -1;
+        rr->finfo.size = -1;
+        rr->filename = "^^UNAUTHORIZED^^";
+    }
 
     if (autoindex_opts & (FANCY_INDEXING | TABLE_INDEXING)) {
         p->lm = rr->finfo.mtime;

Re: [PATCH] mod_autoindex and authorization [repost]

Posted by Francis Daly <de...@daoine.org>.

On Tue, May 28, 2002 at 09:19:33AM -0500, William A.  Rowe, Jr.  wrote:
> At 08:25 AM 5/28/2002, Francis Daly wrote:
> >
> >Between 1.3 and 2.0, the behaviour of mod_autoindex changed such that
> >URLs for which the requester was not (yet) authorized did not appear
> >in the generated listings. This patch allows the administrator
> >configure, on a per-directory basis, whether or not to show the names
> >of the authorization-requiring resources in that directory.
> 
> And the list generally agreed that the right fix is to configure a list
> of HTTP result codes that the administrator will allow to be listed,
> rather than the toggle you proposed.  

Ah right, I'd missed that bit of the discussion.  I saw the
"IndexResults" suggestion, but hadn't noticed that it might be useful
to allow, for example, statuses 402 or 41[1-4] too.

No harm done.

> >It introduces a fake filename "^^UNAUTHORIZED^^" which can be used by
> >AddIcon and AddAlt to enhance the display if IndexOptions FancyIndexing
> >is also set, mirroring ^^DIRECTORY^^ and ^^BLANKICON^^. An UNAUTHORIZED
> >DIRECTORY will appear UNAUTHORIZED, falling back to DefaultIcon. That
> >could be changed to appear DIRECTORY by adding a filetype check just
> >before setting the string ^^UNAUTHORIZED^^.
> 
> Very slick... I see lock icons popping up on my own sites really soon :-)

All the real work was done by whoever coded for ^^DIRECTORY^^ and
^^BLANKICON^^ -- once I was fiddling rr->filename, that bit came as a
freebie.  But it's a nice one.

> >It explicitly hides the file size and modification time of unauthorized
> >resources. This differs from the behaviour of 1.3. Code already in
> >find_title() ensures that IndexOptions ScanHTMLTitles won't reveal any
> >content.
> 
> I'm asking myself what it matters?  If they want to include these resources
> in the file list, why do we care that they show up without size/time stamps?
> I suspect that working around this is overkill.

My take would be that advertising the name of the resource will allow
someone with the right credentials to follow links to get the full
information; someone without the credentials doesn't need to know anything
extra.  If they really want to know, they can HEAD with the right
username:password and be happy.  It's a slightly more open
interpretation of the "reveal nothing" philosophy that removed
400-series statuses from the listing in the first place, without quite
being "reveal lots and lots"

The final call is up to the person doing the committing, of course.

All the best,

	f
-- 
Francis Daly        deva@daoine.org

Re: [PATCH] mod_autoindex and authorization [repost]

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 08:25 AM 5/28/2002, Francis Daly wrote:
>This is a repost of a patch sent in the thread "An unusual request"
>about a week ago.
>
>Between 1.3 and 2.0, the behaviour of mod_autoindex changed such that
>URLs for which the requester was not (yet) authorized did not appear
>in the generated listings. This patch allows the administrator
>configure, on a per-directory basis, whether or not to show the names
>of the authorization-requiring resources in that directory.

And the list generally agreed that the right fix is to configure a list
of HTTP result codes that the administrator will allow to be listed,
rather than the toggle you proposed.  But I haven't had time to hack
together an illustration, anyone who wants to is welcome to take a
stab at it.

>This patch introduces a config option which changes the
>behaviour of Options +Indexes. It potentially exposes names of
>authentication-requiring URLs to unauthenticated users. I've called
>the option "IndexOptions RevealSecretURL" to make sure that it isn't
>unintentionally enabled. It defaults to not set, which leaves behaviour
>as it currently is.
>
>It introduces a fake filename "^^UNAUTHORIZED^^" which can be used by
>AddIcon and AddAlt to enhance the display if IndexOptions FancyIndexing
>is also set, mirroring ^^DIRECTORY^^ and ^^BLANKICON^^. An UNAUTHORIZED
>DIRECTORY will appear UNAUTHORIZED, falling back to DefaultIcon. That
>could be changed to appear DIRECTORY by adding a filetype check just
>before setting the string ^^UNAUTHORIZED^^.

Very slick... I see lock icons popping up on my own sites really soon :-)

>It explicitly hides the file size and modification time of unauthorized
>resources. This differs from the behaviour of 1.3. Code already in
>find_title() ensures that IndexOptions ScanHTMLTitles won't reveal any
>content.

I'm asking myself what it matters?  If they want to include these resources
in the file list, why do we care that they show up without size/time stamps?
I suspect that working around this is overkill.