Protecting directories from prying eyes

hcgtv · 2006-09-29 12:53:15

Should we provide a mechanism in 4.0.4 to protect directories from prying eyes?

Like /files, /images, anything below the /textpattern directory.

I did an experiment and visited Mary’s site, 404’s for prying eyes, I went to Zem’s site, prohibited messages. I searched the FAQ and Textbook, nothing showed up, I could search the forum but a new user probably wouldn’t do this.

If those with experience lock down their sites, should it be part of a release?

jayrope · 2006-09-29 13:42:14

i support this idea.
it would be most helpful to have a php-based routine to write into the .htaccess file for instance. i would certainly welcome other approaches to this aswell.

ruud · 2006-09-29 13:50:22

Those are directories that really do exist, so the display of the directory index normally not handled by Textpattern, but by the webserver itself… Are zem/mary protecting them with .htaccess?

Normally when I want to hide a directory index, I simply upload an empty index.html

Sencer · 2006-09-29 13:53:09

Put an emty index.html in the directory. Done.

Whether contents of directories are displayed or not is a configuration option of the webserver. I am not sure why duplicating that option in textpattern (which would be restricted to a few directories only anyhow) would be a good idea.

It’s not a matter of security either, since currently all files are downloadable by anyone anyhow.

jayrope · 2006-09-29 14:01:48

right, sorry, i do that, too… empty index.html i mean. argh, that was too easy…

hcgtv · 2006-09-29 15:10:00

Yes, an index.html, like the one in the /update directory that says Nothing here., can be easily replicated. I was just curious why it wasn’t part of the package?

Especially the /files and /images directory, since a user has no clue that someone can just bring up his files directory up in a browser, download all his files and his download count in admin is not updated.

Let’s keep in mind that not all of us are geeks, some people running Textpattern are just plain folks wanting to put up a site and pick Textpattern from Fantastico and have at it.

ruud · 2006-09-29 15:26:34

Having an index.html there doesn’t prevent people from downloading the files directly.

hcgtv · 2006-09-29 15:29:59

ruud wrote:

Having an index.html there doesn’t prevent people from downloading the files directly.

No, but an .htaccess file would.

jayrope · 2006-09-29 16:05:39

so that brings us back to what we said above.

uhm. so it would be an interesting feature to be able to protect images and downloads directories from within the admin prefs panel, which would write this preference accordingly into the .htaccess file. or would this be stored in mySQL and read out each time a user accesses a page?

ruud · 2006-09-29 18:09:01

Visitors have to be able to view the images, so you can’t block access to the images.
Adding an index.html or doing <code>chmod 711</code> on the image directory (if PHP runs under your username) is the most you can do. That last trick works because you don’t need read permission on a directory to be able to access the files inside it, execute permission is enough.

For the files, adding the index.html already makes it quite hard to download directly. You’d have to know the exact filename. Besides, the file can still be downloaded through /file_download/1 etc. Download counters are just indications anyway (due to proxies and failed downloads). It’s not an exact science. There already are some other options you have to disallow direct access to the files:

set the file upload path (advanced TXP prefs) to a location that is outside your webspace (may not work in safe_mode)
<code>chmod 700</code> the files directory (if PHP runs under your username).

Last edited by ruud (2006-09-29 18:18:30)

hcgtv · 2006-09-29 18:57:33

Thanks ruud, it’s always good to have a healthy debate.

ruud · 2006-09-29 19:30:04

If you want to hide the parts of the /textpattern directory that need not be accessible to outsiders, you could add a .htaccess file like this one in the /textpattern directory (not in the root directory!):

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !textpattern(/setup)?/?$
 RewriteCond %{REQUEST_FILENAME} !textpattern/((setup/)?index|css)\.php$
 RewriteCond %{REQUEST_FILENAME} !textpattern/textpattern\.(css|js)$
 RewriteCond %{REQUEST_FILENAME} !textpattern/txp_img/.+\.(jpg|gif|png)$
 RewriteRule ^(.*) - [F]
</IfModule>

And if you do this, you may also want to move README.txt and HISTORY.txt into the textpattern directory because they reveal the TXP version number.

Last edited by ruud (2006-10-27 20:50:56)

Textpattern CMS

Textpattern CMS support forum

#1 2006-09-29 12:53:15

Protecting directories from prying eyes

#2 2006-09-29 13:42:14

Re: Protecting directories from prying eyes

#3 2006-09-29 13:50:22

Re: Protecting directories from prying eyes

#4 2006-09-29 13:53:09

Re: Protecting directories from prying eyes

#5 2006-09-29 14:01:48

Re: Protecting directories from prying eyes

#6 2006-09-29 15:10:00

Re: Protecting directories from prying eyes

#7 2006-09-29 15:26:34

Re: Protecting directories from prying eyes

#8 2006-09-29 15:29:59

Re: Protecting directories from prying eyes

#9 2006-09-29 16:05:39

Re: Protecting directories from prying eyes

#10 2006-09-29 18:09:01

Re: Protecting directories from prying eyes

#11 2006-09-29 18:57:33

Re: Protecting directories from prying eyes

#12 2006-09-29 19:30:04

Re: Protecting directories from prying eyes

Board footer