On Jun 18, 12:24 pm, Nick Phillips <nick.phill...@otago.ac.nz> wrote:
> Graham Dumpleton wrote:
> >>> It's better to see it this way: Every page is an individual piece of
> >>> content for itself, and still every page can have subpages.
>
> >>> A directory, on the other hand, can have subpages, but is not that
> >>> interesting for itself. Which we don't want to happen - we want all
> >>> our pages to be interesting!
>
> >> Think back to the days when all web pages were a collection of static
> >> html files. Every directory within the server root had an index page
> >> (usually index.html). That page could be found at any of the three
> >> urls: `/path/to/dir`, `/path/to/dir/`, or `/path/to/dir/index.html`.
>
> > My understanding is that the default behaviour of Apache has always
> > been that when '/path/to/dir' was used, it would redirect the client
> > to '/path/to/dir/'.
>
> > It only became possible to override this from Apache 2.0 onwards. See:
>
> > http://httpd.apache.org/docs/2.2/mod/mod_dir.html#directoryslash
>
> > Disabling need for trailing slash in Apache apparently has some
> > security implications as documented in that page and so in some
> > respects it is discouraged.
>
> Two points:
>
> 1) Slashes were only added to directories; we're not talking about
> directories in this case;
> 2) Since we're not talking about that situation (i.e. a request for a
> directory, which could be handled by generating an index in one of two
> different ways), there are absolutely no security implications involved
> in the decision (or lack of decision ;-) ) that is currently being
> discussed.
I was only commenting in relation to how Apache works and the
conjecture that:
"""
Every directory within the server root had an index page
(usually index.html). That page could be found at any of the three
urls: `/path/to/dir`, `/path/to/dir/`, or `/path/to/dir/index.html`.
"""
So, sorry, but that statement is wrong as I pointed out in relation to
Apache and static file serving. If you follow the link to the Apache
document I referenced, you will see that the Apache documentation
states:
"""
Security Warning
Turning off the trailing slash redirect may result in an information
disclosure. Consider a situation where mod_autoindex is active
(Options +Indexes) and DirectoryIndex is set to a valid resource (say,
index.html) and there's no other special handler defined for that URL.
In this case a request with a trailing slash would show the index.html
file. But a request without trailing slash would list the directory
contents.
"""
Take it as you will as being irrelevant to the main conversation about
Django itself, but am just clarifying what is reality for Apache in
relation to that sweeping statement about what happened back in the
"""days when all web pages were a collection of static html files""".
Graham
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
