| User | Post |
|
2:05 pm
February 17, 2010
|
YikYak
Member
| | | |
|
| posts 68 |
|
|
Hi Kevin,
Using WP 2.9.2 and RS 1.1.7. I was doing some testing with one of my (author) users who is worried about the privacy of stuff he uploads. I had previously run your attachment utility etc, and indeed the files seem safe, by all ways we tried to reveal them. But the host has directory browsing enabled. So the uploads directory sturcutre can be browsed, and all the file names revealed. I read that you can stop directory browsing with some .htaccess
I cannot do this myself, the web server "owns" the .htaccess file which has been created by RS, and I cannot do anytihng to it over my ssh access. Is it possible that you can add the requisite bit to the .htaccess fiule (even as an option) to stop browsing? I use a custom directory structure for upload - fearful of files getting accidentally overwritten, and I also don't know how to automate some process to create trivial index.html files to stop browsing.
Thanks
YikYak
|
|
|
2:38 pm
February 17, 2010
|
Kevin
Admin
| | | |
|
| posts 2381 |
|
|
I'll have to think about how best to implement that. For now you can try modifying role-scoper/rewrite-rules_rs.php as follows:
add this:
$new_rules .= "Options -Indexes\n";
right before:
$new_rules .= "RewriteEngine On\n";
|
|
|
3:05 am
February 18, 2010
|
YikYak
Member
| | | |
|
| posts 68 |
|
|
Hi Kevin,
I found there were a couple of possibles for inserting that php in the suggested file, the first one led to the .htaccess in the WordPress root getting modified and completely broke my site, the second one was correct, and did modify the .htaccess file in the uploads directory after I disabled and then re-enabled file filtering in the RS options. But it also partially broke my site, I got Internal Server Error in both cases. In the first case, I got the error for any attempt to see or use the site, in the second case I got the error when trying to browse or download attachment, non-attachment related activity was fine. I'll see if my sys admin can shed any light.
Thanks
YikYak
|
|
|
9:43 am
February 19, 2010
|
YikYak
Member
| | | |
|
| posts 68 |
|
|
Hi Kevin,
My sysadmin enabled me to do a bit more in .htaccess (some things had previosuly been forbidden) so I am ok now even without your modification, the sys admin suggested some .htaccess content in the wordpress root which did the trick.
Thanks
YikYak
|
|
|
9:47 am
February 19, 2010
|
Kevin
Admin
| | | |
|
| posts 2381 |
|
|
YikYak said:
My sysadmin enabled me to do a bit more in .htaccess (some things had previosuly been forbidden) so I amĀ ok now even without your modification, the sys admin suggested some .htaccess content in the wordpress root which did the trick.
Good to hear. Would you mind posting/emailing that content for the benefit of me and others here?
|
|
|
9:48 am
February 19, 2010
|
Kevin
Admin
| | | |
|
| posts 2381 |
|
|
Okay, I'll try out Tarski after I catch up on some other work.
|
|
|
9:57 am
February 19, 2010
|
YikYak
Member
| | | |
|
| posts 68 |
|
|
Hi Kevin,
Well, I'm afraid I've no idea what he might have done to the server config in general, he thought your mod would be fine to protect the uploads directory once he allowed me to have it in my local .htaccess, but to save me the hassle he suggested:
Options FollowSymlinks
in the top of the .htaccess in the blog home would do the trick. Which it did.
|
|
|
2:24 pm
February 26, 2010
|
Kevin
Admin
| | | |
|
| posts 2381 |
|
|
Okay, I'm glad you got that resolved but for now I'm just going to let that customization live outside the Role Scoper block. I'm sure there are some servers out there that already have that option locked and would blow up with the custom .htaccess directive.
|
|
|
3:26 am
February 27, 2010
|
YikYak
Member
| | | |
|
| posts 68 |
|
|
That seems very sensible. Thanks.
|
|
Login
Register
Search 
Forums
Topic RSS 