[GNC-dev] Yet another documentation compiling oddity

John Ralls jralls at ceridwen.us
Sat Sep 15 10:28:18 EDT 2018


If an attacker guesses the path a -Indexes directive won’t stop him from requesting the directory from the server. It should return a 403 if there’s no index.html, but perhaps there are servers out there that fail, or perhaps the web design folks think that a blank page is better than a 403.

Of course it’s also possible that the practice got going before -Indexes was added and never went away, or that since .htaccess is an Apache thing it’s not sufficiently general (nginx seems to require per-directory config of its autoindex module in its config file, no idea about IIS).

Regards,
John Ralls


> On Sep 14, 2018, at 9:13 PM, Adrien Monteleone <adrien.monteleone at lusfiber.net> wrote:
> 
> Interesting. I’ll investigate. I’ve never had an issue that I’m aware of. If the server won’t even let you get there due to the directive...?
> 
> Regards,
> Adrien
> 
>> On Sep 14, 2018, at 5:38 PM, John Ralls <jralls at ceridwen.us> wrote:
>> 
>> It's my understanding that that's less than perfect. It's standard practice in the the CMS world to put poisoned index.html files in directories where you don't want browsers poking their noses.
>> 
>> Regards,
>> John Ralls
> 
> 
> _______________________________________________
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel



More information about the gnucash-devel mailing list