“……的索引”目录列表保护
全部!
在我们的服务器上,我们有一个目录“文件”,其中包含供学生和教师使用的材料:
http://sample.ru/files/4students/
http://sample.ru/files/4teacherszzz/
http://sample.ru/files/markszzz/
...
每个目录,当您将其输入网络浏览器时,都会显示“/files/4students/”页面的索引,其中包含文件/子目录列表。
但是,我们遇到了问题:当学生输入“http://sample.ru/files/”时,他可以看到所有其他文件夹!但学生不得看到教师文件(位于文件夹 4teacherzzz 和markszzz 中)。
因此,我们将空白的index.html放入/files/中。通过输入此网址,学生将无法看到其他文件夹。
现在,这是一个问题:任何学生(他只知道“http://sample.ru /files/4students/”网址)都可以获取“http://sample.ru /files/”中的网址列表(可能是通过特殊输入“/files/4students/../”等)?又如何呢?以及如何否认这一点?
问题是我们必须保留文件夹系统——这对老师来说更方便(他们只将文件复制到服务器上的文件夹,文件会自动出现在“索引...”页面中)
感谢您的回复!
all!
On our server we have got a directory 'files' with materials for students and teachers:
http://sample.ru/files/4students/
http://sample.ru/files/4teacherszzz/
http://sample.ru/files/markszzz/
...
Each directory, when you type it into your web-browser shows you 'Index of /files/4students/' page with list of files/subdirs.
But, we've got problem: when the student types 'http://sample.ru/files/' he can see all other folders! But students must not see teachers files (in folders 4teacherzzz and markszzz).
So, we've put blank index.html into /files/ . And by typing this url, student can't see other folders.
Now, this is question: can anyone student (he only knows 'http://sample.ru /files/4students/' url) get list of urls in 'http://sample.ru /files/' (may be by special typing '/files/4students/../' or so on)? and how? and how to deny this?
The problem is that we must leave that folders system --- it is more convenient for teachers (they only copy files to a folder on server and files automatically appears in "Index of ..." page)
Thanks for your replies!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
取决于您的网络服务器品牌 - 否。大多数品牌的普通源服务器(如 Apache、IIS)都会特别小心地阻止任何 ../.. 和类似顽皮行为的尝试。 (请注意,某些针对代理/缓存和类似的非原始使用进行优化的服务器很可能不会这样做)。
但无论如何,您都想非常仔细地阅读文档。请注意,大多数服务器(例如 Apache 和 IIS)针对这个特定问题都有特定的指令。
看看“索引” - .ie
...
注意减号 - 将非常明确地禁用索引(但要小心符号链接 - 或者也使用 -FollowSymLinks )。 http://httpd.apache.org/docs/2.0/mod/core.html 有完整的故事。
特别检查“目录指令”部分并记下文本:
以及下面的示例。因此,您通常会希望锁定较低级别的(-索引),然后为您允许索引的学生进行目录(匹配)。
添加 index.html 的技巧通常有效 - 但请注意,这只是因为 mod_autoindex 及时地捕获了它。这并不像上面那样得到保证 - 特别是当您的服务器中有 MultiViews 或其他本地化/国际化和类似(语言/字符集)变体时。请参阅http://httpd.apache.org/docs/2.2/mod/mod_autoindex。 html。
希望这有帮助,
Dw。
Depending on your brand of web server - no. Most brands of normal origin servers (like Apache, IIS) will be particularly careful about collapsing any attempts at ../.. and similar naughtiness. (Note that some servers optimized for proxy/caching and similar non-origin use may well NOT do that).
But regardless you want to read the documentation very carefully. And note that most servers, like Apache and IIS, have specific directives for just this particular problem.
Have a look at "Indexes" - .i.e.
...
note the minus - will very explicitly disable indexes (Be careful with symbolic links though - or also use -FollowSymLinks ). http://httpd.apache.org/docs/2.0/mod/core.html has the full story.
Check specifically the section 'Directory Directive' and note the text:
and the example just below it. So you typically will want to lock down (-Indexes) on the lower level and then do a directory(match) one down for the students where you do allow Indexes.
Your trick of adding an index.html usually works - but note that this is just because mod_autoindex snarfs it in a timely fashion. This is not as guaranteed as above - in particular when you have MultiViews or other localisation/internationalization and similar (language/charset) variants in your server. See http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html.
Hope this helps,
Dw.