The following reply was made to PR general/2030; it has been noted by GNATS.
From: "Daniel C. Stevenson" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: general/2030: spelling error possibilities include files that shouldn't be seen Date: Wed, 20 May 1998 19:20:58 -0400 >mod_autoindex does this as well - it will list the contents >of a directory regardless of what the actual permissions on >each file are. This is the "expected" behavior for something It's not even the case of permissions on the file system level, but also permissions set by Apache. I have various configuration rules that deny requests for certain files. While moving them to another directory would be good, that doesn't solve the possible problem of the user finding the names of hidden directories. Or, in the case of a scripts directory, listing the name of every CGI script. In the end, I think the security concerns could be addressed by adding a 3-state flag for the module. If the flag is 0, only when a single match is discovered is it returned; a 404 is returned otherwise. If the flag is 1, only a list of multiple matches are returned (not very usual, but good for completeness). If the flag is 2, single and multiple matches are returned, depending on what is appropriate. I recognize that the problem is not terribly serious or risky, and I don't mean to burden your time. I have been using and enjoying Apache since 0.8.x, and I am very grateful for the excellent work the Apache Group has done. Dan Stevenson
