Reputation: 104
"Index of ..." directory listing protection
all!
On our server we have got a directory 'files' with materials for students and teachers:
http://sample.ru/files/4students/
http://sample.ru/files/4teacherszzz/
http://sample.ru/files/markszzz/
...
Each directory, when you type it into your web-browser shows you 'Index of /files/4students/' page with list of files/subdirs.
But, we've got problem: when the student types 'http://sample.ru/files/' he can see all other folders! But students must not see teachers files (in folders 4teacherzzz and markszzz).
So, we've put blank index.html into /files/ . And by typing this url, student can't see other folders.
Now, this is question: can anyone student (he only knows 'http://sample.ru /files/4students/' url) get list of urls in 'http://sample.ru /files/' (may be by special typing '/files/4students/../' or so on)? and how? and how to deny this?
The problem is that we must leave that folders system --- it is more convenient for teachers (they only copy files to a folder on server and files automatically appears in "Index of ..." page)
Thanks for your replies!
Upvotes: 1
Views: 1254
Answers (1)
Reputation: 7706
Depending on your brand of web server - no. Most brands of normal origin servers (like Apache, IIS) will be particularly careful about collapsing any attempts at ../.. and similar naughtiness. (Note that some servers optimized for proxy/caching and similar non-origin use may well NOT do that).
But regardless you want to read the documentation very carefully. And note that most servers, like Apache and IIS, have specific directives for just this particular problem.
Have a look at "Indexes" - .i.e.
<Directory /something/>
option -Indexes
...
note the minus - will very explicitly disable indexes (Be careful with symbolic links though - or also use -FollowSymLinks ). http://httpd.apache.org/docs/2.0/mod/core.html has the full story.
Check specifically the section 'Directory Directive' and note the text:
Be careful with the directory-path arguments: They have to literally match the filesystem path which Apache uses to access the files. Directives applied to a particular will not apply to files accessed from that same directory via a different path, such as via different symbolic links.
and the example just below it. So you typically will want to lock down (-Indexes) on the lower level and then do a directory(match) one down for the students where you do allow Indexes.
Your trick of adding an index.html usually works - but note that this is just because mod_autoindex snarfs it in a timely fashion. This is not as guaranteed as above - in particular when you have MultiViews or other localisation/internationalization and similar (language/charset) variants in your server. See http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html.
Hope this helps,
Dw.
Upvotes: 2
Related Questions
- deny directory listing with htaccess
- How to disable directory indexing from apache2 when going to the server's root?
- Apache 2.4 - How to deny access to DocumentRoot but allow 'trailing slash' access to DirectoryIndex file
- IndexIgnore in .htaccess to hide directories instead of just files?
- How do I disable listing of directories in Apache?
- How to prevent directory browsing?
- Apache - Deny listing directory but allow access to all subfolders
- .htaccess code to deny folder browsing
- .htaccess password protect directories with no index file
- How to stop Apache from listing the contents of my user directories