[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#219112: apache: IndexOptions +Indexes patch

Package: apache
Version: 1.3.28-4

I just saw a report on bugtraq about the RedHat apache package. In
some circumstances, you can get a root directory listing and perhaps
browse subdirectories.

That's all because Options +Indexes is on by default. However, there
is no way to turn that off globally and let users turn it on
per-directory because "AllowOverride" is too coarse - you must
set "AllowOverride Options" to make it possible for a user to
do a "Options +Indexes" or "Options -Indexes". And with "AllowOverride
Options" set, a user can do all kinds of privilige-lifting things
in a .htaccess file (Options +ExecCGI etc).

So for Cistron I patched mod_autoindex so that it support a new
IndexOptions option - "Indexes". You can now do "Options -Indexes"
globally and let a user turn it back on with "IndexOptions +Indexes"
in .htaccess. Or the other way around if you so desire.

This is much more secure.

Attached is the README, a patch for the debian mod_autoindex,
and a patch for the upstream mod_autoindex.

I would appreciate it if you could send this patch upstream, and
perhaps ask the developers if they can implement it in Apache2
too (the Apache 1.3 implementation is pretty trivial).

Thanks.

Mike.

Currently if you do not set "Options Indexes" in the main apache
config, and you do not allow the user to override options, there
is no way for the user to turn on those indexes. Yet this is
fairly common in an ISP environment:

- Indexes are off by default because for security reasons
  (basically protection users against themselves) but in general
  it's no problem if someone turned it on through .htaccess
- Yet you want to set "AllowOverride None" because you generally
  do NOT want users to turn on, say, "ExecCGI".

There is no way for a user to control "Options [+-]Indexes" if
AllowOverride None is in effect.

This patch adds a new option to the "IndexOptions" statement,
called (surprise) Indexes. The "IndexOptions [+-]Indexes" overrides
whatever was set with "Options [+-]Indexes".

This way you can chose not to globally turn on Indexes, leave
AllowOverride set to None, yet a user can put "IndexOptions +Indexes"
in a .htaccess file and still get a directory listing.

apache-1.3-mod_autoindex.patch
  patch against mod_autoindex of apache-1.3.24

apache-1.3-deb-mod_autoindex-contrib.patch
  patch against debians contrib/mod_autoindex of apache_1.3.24-2.1


--- /tmp/apache_1.3.24/src/modules/standard/mod_autoindex.c	Wed Mar 13 22:05:33 2002
+++ apache_1.3.24/src/modules/standard/mod_autoindex.c	Wed Apr 24 17:17:05 2002
@@ -99,6 +99,7 @@
 #define FOLDERS_FIRST 512
 #define TRACK_MODIFIED 1024
 #define SORT_NOCASE 2048
+#define INDEXOPT_INDEXES 4096
 
 #define K_PAD 1
 #define K_NOPAD 0
@@ -415,6 +416,9 @@
 	else if (!strcasecmp(w, "IgnoreCase")) {
             option = SORT_NOCASE;
 	}
+	else if (!strcasecmp(w, "Indexes")) {
+            option = INDEXOPT_INDEXES;
+	}
         else if (!strcasecmp(w, "None")) {
 	    if (action != '\0') {
 		return "Cannot combine '+' or '-' with 'None' keyword";
@@ -1752,7 +1756,7 @@
 static int handle_autoindex(request_rec *r)
 {
     autoindex_config_rec *d;
-    int allow_opts = ap_allow_options(r);
+    int opt_indexes = ap_allow_options(r) & OPT_INDEXES;
 
     d = (autoindex_config_rec *) ap_get_module_config(r->per_dir_config,
 						      &autoindex_module);
@@ -1763,8 +1767,12 @@
     }
 
     /* OK, nothing easy.  Trot out the heavy artillery... */
+    if ((d->incremented_opts & INDEXOPT_INDEXES) ||
+	(d->opts & INDEXOPT_INDEXES)) opt_indexes = 1;
+    if ((d->decremented_opts & INDEXOPT_INDEXES) &&
+	!(d->opts & INDEXOPT_INDEXES)) opt_indexes = 0;
 
-    if (allow_opts & OPT_INDEXES) {
+    if (opt_indexes) {
 	/* KLUDGE --- make the sub_req lookups happen in the right directory.
 	 * Fixing this in the sub_req_lookup functions themselves is difficult,
 	 * and would probably break virtual includes...

--- apache-1.3.24/contrib/mod_autoindex/mod_autoindex.c~	Wed Apr 24 17:09:56 2002
+++ apache-1.3.24/contrib/mod_autoindex/mod_autoindex.c	Thu Apr 25 23:25:14 2002
@@ -98,6 +98,7 @@
 #define FOLDERS_FIRST 512
 #define TRACK_MODIFIED 1024
 #define STUDLY_INDEXING 2048
+#define INDEXOPT_INDEXES 4096
 
 #define K_PAD 1
 #define K_NOPAD 0
@@ -455,6 +456,9 @@
 	else if (!strcasecmp(w, "FoldersFirst")) {
 	    option = FOLDERS_FIRST;
 	}
+	else if (!strcasecmp(w, "Indexes")) {
+	    option = INDEXOPT_INDEXES;
+	}
 	else if (!strcasecmp(w, "TrackModified")) {
 	    option = TRACK_MODIFIED;
 	}
@@ -1941,7 +1945,7 @@
 static int handle_autoindex(request_rec *r)
 {
     autoindex_config_rec *d;
-    int allow_opts = ap_allow_options(r);
+    int opt_indexes = ap_allow_options(r) & OPT_INDEXES;
 
     d = (autoindex_config_rec *) ap_get_module_config(r->per_dir_config,
 						      &autoindex_module);
@@ -1952,8 +1956,12 @@
     }
 
     /* OK, nothing easy.  Trot out the heavy artillery... */
+    if ((d->incremented_opts & INDEXOPT_INDEXES) ||
+	(d->opts & INDEXOPT_INDEXES)) opt_indexes = 1;
+    if ((d->decremented_opts & INDEXOPT_INDEXES) &&
+	!(d->opts & INDEXOPT_INDEXES)) opt_indexes = 0;
 
-    if (allow_opts & OPT_INDEXES) {
+    if (opt_indexes) {
 	/* KLUDGE --- make the sub_req lookups happen in the right directory.
 	 * Fixing this in the sub_req_lookup functions themselves is difficult,
 	 * and would probably break virtual includes...
Reply to: