Re: [users@httpd] Strange problem with Options +Indexes

Mon, 22 Aug 2005 10:15:49 -0700 

On 21 Aug 2005, at 17:39, Joshua Slive wrote:





So I have apache 2.0.50 installed on Mandrake


A little bit of an old version.



OK It comes with mandrake 10.1 and I am a bit lazy :-)
The latest version is 2.0.54 and
http://ftp.physics.auth.gr/pub/mirrors/apache/httpd/CHANGES_2.0
doesn't mention anything relevant (AFAICS) between .50 and .54

Perhaps Ill upgrade and see.


In one of my virtual hosts I have

        <Location />
                Allow from all
        </Location>

        <Location /ppm/storyboard>
                Options +Indexes
                Allow from all                         **
        </Location>

When I go to this location with a web browser I see the directory
index
but with no files UNLESS
I also include

        <Directory /document root>
                Allow from all
        </Directory>

I do not see any files listed.

Why do I need the double Allow from all ??
Or more interestingly if access to the location is denied why dont I
get a forbidden message instead of an empty listing ?


Interesting.  If you request the files inside the directory directly,
does it work?


Yes you can access the files. Accessing the files of course has nothing
to do with mod_autoindex.
It is as if the execute right is removed from the directory.



I haven't tested this myself, but my guess is that mod_autoindex
(which generates the directory listings) is doing a file-level
sub-request on each entry in the directory to see if it is accessible.
 For some reason this sub-request is not processing the <Location>
sections, only the <Directory> sections.


Makes sense.
A bug then, or perhaps a security feature?



You still can see the directory itself because the main request is
honoring the <Location> section.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-------------------------------------------------------------------
Stuart Gall
Systems Administrator
-------------------------------------------------------------------
No user serviceable parts inside?  Ill be the judge of that!


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to