This is a repost of a patch sent in the thread "An unusual request"
about a week ago.
Between 1.3 and 2.0, the behaviour of mod_autoindex changed such that
URLs for which the requester was not (yet) authorized did not appear
in the generated listings. This patch allows the administrator
configure, on a per-directory basis, whether or not to show the names
of the authorization-requiring resources in that directory.
This patch introduces a config option which changes the
behaviour of Options +Indexes. It potentially exposes names of
authentication-requiring URLs to unauthenticated users. I've called
the option "IndexOptions RevealSecretURL" to make sure that it isn't
unintentionally enabled. It defaults to not set, which leaves behaviour
as it currently is.
It introduces a fake filename "^^UNAUTHORIZED^^" which can be used by
AddIcon and AddAlt to enhance the display if IndexOptions FancyIndexing
is also set, mirroring ^^DIRECTORY^^ and ^^BLANKICON^^. An UNAUTHORIZED
DIRECTORY will appear UNAUTHORIZED, falling back to DefaultIcon. That
could be changed to appear DIRECTORY by adding a filetype check just
before setting the string ^^UNAUTHORIZED^^.
It explicitly hides the file size and modification time of unauthorized
resources. This differs from the behaviour of 1.3. Code already in
find_title() ensures that IndexOptions ScanHTMLTitles won't reveal any
content.
Arguably, it should require AllowOverride AuthConfig too for use in
.htaccess, although that may need a new directive rather than a new
option to an existing directive.
===========
Docs for the IndexOptions RevealSecretURL option:
set or unset on a per-directory basis, just like the rest of
IndexOptions. Default unset overall.
If set, URLs for which valid authentication credentials have not
been presented will appear in autoindex-generated lists of directory
contents.
"^^UNAUTHORIZED^^" can be used as a filename for AddIcon or AddAlt,
if the default choices are inappropriate.
It's only useful in directories where only some files require
authentication; it will reveal to unauthenticated clients the names
of urls that require authentication. However, it also allows Options
+Indexes to work more like it used to in 1.3.
============
I'm sure someone with more imagination can come up with a better option
name.
Built and tested against the version of mod_autoindex released with
httpd-2.0.35, it applies cleanly to the version released with 2.0.36,
and also to the current version in CVS.
f
--
Francis Daly [EMAIL PROTECTED]
--- modules/generators/mod_autoindex.c Fri Apr 5 18:50:37 2002
+++ modules/generators/mod_autoindex.c.new Thu May 16 22:36:38 2002
@@ -110,6 +110,7 @@
#define FANCY_INDEXING 0x2000
#define TABLE_INDEXING 0x4000
#define IGNORE_CLIENT 0x8000
+#define REVEAL_401 0x10000
#define K_NOADJUST 0
#define K_ADJUST 1
@@ -407,6 +408,9 @@
else if (!strcasecmp(w, "VersionSort")) {
option = VERSION_SORT;
}
+ else if (!strcasecmp(w, "RevealSecretURL")) {
+ option = REVEAL_401;
+ }
else if (!strcasecmp(w, "None")) {
if (action != '\0') {
return "Cannot combine '+' or '-' with 'None' keyword";
@@ -1316,7 +1320,9 @@
if ((rr->finfo.filetype != APR_DIR && rr->finfo.filetype != APR_REG)
|| !(rr->status == OK || ap_is_HTTP_SUCCESS(rr->status)
- || ap_is_HTTP_REDIRECT(rr->status))) {
+ || ap_is_HTTP_REDIRECT(rr->status)
+ || ( rr->status == HTTP_UNAUTHORIZED
+ && (autoindex_opts & REVEAL_401) ))) {
ap_destroy_sub_req(rr);
return (NULL);
}
@@ -1337,6 +1343,13 @@
p->key = apr_toupper(keyid);
p->ascending = (apr_toupper(direction) == D_ASCENDING);
p->version_sort = !!(autoindex_opts & VERSION_SORT);
+
+/* Now hide bits that don't need to be revealed */
+ if (rr->status == HTTP_UNAUTHORIZED) {
+ rr->finfo.mtime = -1;
+ rr->finfo.size = -1;
+ rr->filename = "^^UNAUTHORIZED^^";
+ }
if (autoindex_opts & (FANCY_INDEXING | TABLE_INDEXING)) {
p->lm = rr->finfo.mtime;
