You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/09/07 22:50:54 UTC
[Bug 62698] New: Preventing mod_autoindex listing of directory
(error 403)
https://bz.apache.org/bugzilla/show_bug.cgi?id=62698
Bug ID: 62698
Summary: Preventing mod_autoindex listing of directory (error
403)
Product: Apache httpd-2
Version: 2.4.34
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_core
Assignee: bugs@httpd.apache.org
Reporter: apache@jth.net
Target Milestone: ---
mod_authz will prevent mod_autoindex from generating a listing of a directory
without an index file in certain cases.
For security reasons (illegally uploaded files) a generation of the following
is performed for all directories:
<Directory "/var/www/html/dom.tld/sub">
Require all granted
<FilesMatch "\.(php.*|pl|pm|cgi|shtml|phtml|sh)$" >
Require all denied
</FilesMatch>
<Files "address.php">
Require all granted
</Files>
</Directory>
In httpd.conf for the vhosts:
DirectoryIndex index.var index.htm index.cgi index.php
Options IncludesNOEXEC FollowSymlinks ExecCGI Multiviews
<Directory "/var/www/html/don.tld/sub">
Options +Indexes
Require all granted
</Directory>
mod_authz will assume a Require all denied when testing for e.g. index.php,
which is not present in the directory, but disallowed by the generated rule.
A 403 error will be returned instead of turning over the action to
mod_autoindex.
There should be no consequences for testing a 'denied' rule against a
non-existant file.
[Fri Sep 07 22:23:29.769962 2018] [authz_core:error] [pid 25764:tid
140612263212800] AH01630: client denied by server configuration:
/var/www/html/dom.tld/sub/index.php
[Fri Sep 07 22:23:29.769964 2018] [core:trace3] [pid 25764:tid 140612263212800]
request.c(119): auth phase 'check access' gave status 403: /utils/index.php
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62698] Preventing mod_autoindex listing of directory (error
403)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62698
Francisco <ma...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |marherfran@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org