Re: release critical bug in apache2.2?
Mike Hommey wrote:
> On Thu, Nov 02, 2006 at 03:32:39PM +0100, Bastian Venthur <expires-2007@venthur.de> wrote:
> DirectoryIndex tells apache which file(s) it may use when the url points
> to a directory, instead of creating an index of the directory itself, if
> allowed to.
>
> The default value for DirectoryIndex is index.html, which
> obviously forgets index.php. But that doesn't mean index.php will be
> readable as source. It only means that the auto index will be displayed
> if no index.html is present and if allowed to.
Is this upstreams default or our? I mean I just cannot imagine that
apache ignores index.php files by default.
>
> Auto-indexes are enabled only in /var/www/apache2-default and
> /usr/share/apache2/icons by default, so it is not likely to leak any
> unexpected file list.
>
But on the other side, isn't it quite usual to have an index.php in some
dir, say /var/www/ while the document root of your domain just points to
/var/www?
In this case the whole directory structure is visible to every user
including the the file index.php itself.
> So no, that doesn't grant an RC bug for these reasons.
>
> On the other hand, it breaks configurations that used to work... (sites
> relying on this index.php setting will get 403 errors after upgrade from
> 2.0)
So, was the change intentional or just a mistake?
Bastian
--
Bastian Venthur
http://venthur.de
Reply to: