Project

General

Profile

Bug #1719

can detect presence of hidden directories through HTTP redirects:

Added by Anonymous about 11 years ago. Updated almost 11 years ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

just did some testing with my local setup:


$ curl -s -D - -o /dev/null http://localhost/~thorben/cgi-bin
HTTP/1.1 301 Moved Permanently
Location: http://localhost/~thorben/cgi-bin/
Content-Length: 0
Date: Sat, 12 Jul 2008 19:17:27 GMT
Server: lighttpd/1.4.19

next:


$ curl -s -D - -o /dev/null http://localhost/~thorben/cgi-bin/
HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sat, 12 Jul 2008 19:17:29 GMT
Server: lighttpd/1.4.19

oh. suddenly nothing found. for testing, do the same for a nonexisting dir:


$curl -s -D - -o /dev/null http://localhost/~thorben/cgy-byn 
HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sat, 12 Jul 2008 19:21:41 GMT
Server: lighttpd/1.4.19

So, I could find existing but "invisible" dirs using this by some educated guesswork?

-- thkruege

History

#1

Updated by stbuehler about 11 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid

If you "hide" directories for example with mod_alias, there is nothing lighty could do to prevent this. (Ok, we "could" try the request before send the 304, but... yeah. Not really)

Btw: I think alias.url = ( "/cgi-bin" => "/your-not-existing-directory/" ) wouldn't trigger that, only if you use a trailing slash for the source.

#2

Updated by stbuehler almost 11 years ago

  • Status changed from Fixed to Invalid

Also available in: Atom