Project

General

Profile

Actions
Copy link

Bug #1719

closed

can detect presence of hidden directories through HTTP redirects:

Added by Anonymous almost 16 years ago. Updated over 15 years ago.

Status:
Invalid
Priority:
Normal
Category:
core
Target version:
1.5.0
ASK QUESTIONS IN Forums:

Description

just did some testing with my local setup:


$ curl -s -D - -o /dev/null http://localhost/~thorben/cgi-bin
HTTP/1.1 301 Moved Permanently
Location: http://localhost/~thorben/cgi-bin/
Content-Length: 0
Date: Sat, 12 Jul 2008 19:17:27 GMT
Server: lighttpd/1.4.19

next:


$ curl -s -D - -o /dev/null http://localhost/~thorben/cgi-bin/
HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sat, 12 Jul 2008 19:17:29 GMT
Server: lighttpd/1.4.19

oh. suddenly nothing found. for testing, do the same for a nonexisting dir:


$curl -s -D - -o /dev/null http://localhost/~thorben/cgy-byn 
HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sat, 12 Jul 2008 19:21:41 GMT
Server: lighttpd/1.4.19

So, I could find existing but "invisible" dirs using this by some educated guesswork?

-- thkruege

Actions
Copy link
 #1

Updated by stbuehler over 15 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid

If you "hide" directories for example with mod_alias, there is nothing lighty could do to prevent this. (Ok, we "could" try the request before send the 304, but... yeah. Not really)

Btw: I think alias.url = ( "/cgi-bin" => "/your-not-existing-directory/" ) wouldn't trigger that, only if you use a trailing slash for the source.

Actions
Copy link
 #2

Updated by stbuehler over 15 years ago

  • Status changed from Fixed to Invalid
Actions
Copy link

Also available in: Atom