[
https://issues.apache.org/jira/browse/ABDERA-398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14094078#comment-14094078
]
william kelley commented on ABDERA-398:
---------------------------------------
While there may be flaws in http protocol, this is clearly a bug report about
the failure of apache .htaccess to address a near universal problem.
When web sites are built, the use subfolders, and usually want to deny direct
access to subfolders.
Specifically, subfolders with .css and .js, which are accessed from browsers in
processing html
Those accesses ARE distinguishable by HTT_REFERRER.
Yes, it can be spoofed, and yet it is there and is a 99% solution preventing
access via legitimate browser, robots, etc.
There is no way to say Deny access unless I'm the referrer.
Forgive me if I took for granted you actually understood the protocol.
This is a simple tool that IS available in the http protocol which apache only
gives access to via the most obscure of methods.
Make it simple.
It takes what, a day to fix?
> Need simple subfolder access control to allow ONLY indirect access
> ------------------------------------------------------------------
>
> Key: ABDERA-398
> URL: https://issues.apache.org/jira/browse/ABDERA-398
> Project: Abdera
> Issue Type: Bug
> Affects Versions: 0.2.2, 0.3.0, 0.4.0, 1.0, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.2
> Reporter: william kelley
>
> On the web I have found literally dozens of questions on this, and not one
> single simple solution, and most web solutions dont (always) work.
> Everyone has a need to prevent access to the wrong files, and usually can
> stick them in a subfolder. Often you have no control on where the subfolder
> can be, meaning it is indeed a subfolder of the web site root folder.
> What everyone wants, is to say, no one can DIRECTLY access subfolder foo,
> but my files, such as <root>/index.php CAN access foo.
> The allow/deny mechanism appears to have no way to say this, which is clearly
> where it should be controlled.
> It appears if the allow/deny mechanism always treats access from
> request directly to foo folder
> exactly the same as
> request to index.php which accesses subfolder foo, which is the desired
> working route.
> Allow from <mysite.com> does not work, I'm guessing because allow can only
> test the requesting ip/hostname.
> How hard is it to have a keyword for
> Deny <direct access>?
> or
> Allow <local access>?
> or
> AllowIndirect all
> or
> Allow allIndirect
> or
> you are clever, pick what you like and make it easy to say.
> If I am missing something simple that "fixes" this, it is not from lack of
> spending days, not hours, looking for this.
> Something this basic and universal should be able to be expressed by a not
> very expert at all person, in one or two lines.
> I am a programmer of some decades, and I expect this could be fixed in a day,
> maybe 2, by someone familiar with internals.
> If the solution is out there, it is well hidden.
> thanks for reading.
> Replies invited.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
