Home/ Questions/Q 7531001
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T05:04:01+00:00

all! On our server we have got a directory ‘files’ with materials for students

  • 0

all!

On our server we have got a directory ‘files’ with materials for students and teachers:

http://sample.ru/files/4students/
http://sample.ru/files/4teacherszzz/
http://sample.ru/files/markszzz/
...

Each directory, when you type it into your web-browser shows you ‘Index of /files/4students/’ page with list of files/subdirs.

But, we’ve got problem: when the student types ‘http://sample.ru/files/’ he can see all other folders! But students must not see teachers files (in folders 4teacherzzz and markszzz).

So, we’ve put blank index.html into /files/ . And by typing this url, student can’t see other folders.

Now, this is question: can anyone student (he only knows ‘http://sample.ru /files/4students/’ url) get list of urls in ‘http://sample.ru /files/’ (may be by special typing ‘/files/4students/../’ or so on)? and how? and how to deny this?

The problem is that we must leave that folders system — it is more convenient for teachers (they only copy files to a folder on server and files automatically appears in “Index of …” page)

Thanks for your replies!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Depending on your brand of web server – no. Most brands of normal origin servers (like Apache, IIS) will be particularly careful about collapsing any attempts at ../.. and similar naughtiness. (Note that some servers optimized for proxy/caching and similar non-origin use may well NOT do that).

    But regardless you want to read the documentation very carefully. And note that most servers, like Apache and IIS, have specific directives for just this particular problem.

    Have a look at “Indexes” – .i.e. 

    <Directory /something/>
   option -Indexes

    note the minus – will very explicitly disable indexes (Be careful with symbolic links though – or also use -FollowSymLinks ). http://httpd.apache.org/docs/2.0/mod/core.html has the full story.

    Check specifically the section ‘Directory Directive’ and note the text:

    Be careful with the directory-path arguments: They have to literally
    match the filesystem path which Apache uses to access the files.
    Directives applied to a particular will not apply to files
    accessed from that same directory via a different path, such as via
    different symbolic links.

    and the example just below it. So you typically will want to lock down (-Indexes) on the lower level and then do a directory(match) one down for the students where you do allow Indexes.

    Your trick of adding an index.html usually works – but note that this is just because mod_autoindex snarfs it in a timely fashion. This is not as guaranteed as above – in particular when you have MultiViews or other localisation/internationalization and similar (language/charset) variants in your server. See http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html.

    Hope this helps,

    Dw.

    • 0