#42917 closed feature request (duplicate)
Add in htaccess
Reported by: | gabrielmasson | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.9.1 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
Add in the htaccess the excerpt:
Options -Indexes
so we do not have problems with displaying the folders without index
Change History (8)
#2
in reply to:
↑ 1
;
follow-ups:
↓ 3
↓ 8
@
7 years ago
- Component changed from General to Security
- Focuses performance removed
Replying to jeremyescott:
This:
Options -Indexes
Would disable listings, not enable them, for that the -
would have to be a +
. I think this change would be a security improvement, but am curious to know why this hasn't been already done. Perhaps @aaroncampbell knows?
#3
in reply to:
↑ 2
;
follow-up:
↓ 5
@
7 years ago
Replying to joostdevalk:
Anecdote, but:
Long story, customer needs to put some publicly accessible JSON files so his game app can read info about in-app purchase options. So he made a folder in his WP directory /steam/game-name/ and put a file called game-name-iap.json in it. He then, from within his game, tried to CURL into /steam, which failed 403 Forbidden, /steam/game-name, which failed, 403 Forbidden, and finally called me for help.
Those folders didn't have an index, so if I understand the original report, that folder should be readable, right? It wasn't. But, after I advised him to CURL directly into the file from the full path, so /steam/game-name/game-name-iap.json, he could read the file.
So is this a problem, or is this an enhancement that extends already present security?
#4
@
7 years ago
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
#5
in reply to:
↑ 3
@
7 years ago
Replying to jeremyescott:
Those folders didn't have an index, so if I understand the original report, that folder should be readable, right? It wasn't.
It's likely that your server already has directory listing disabled (Options -Indexes)
by default.
#6
@
7 years ago
- Severity changed from normal to critical
But if it is a shared server, like most of my clients, they usually do not have the option and keep the directories without index for free access, this is a big problem for small sites, of which we have to manually correct every installation.
#8
in reply to:
↑ 2
@
7 years ago
Replying to joostdevalk:
I think this change would be a security improvement, but am curious to know why this hasn't been already done. Perhaps @aaroncampbell knows?
I tend to agree with Sergey:
It's likely that your server already has directory listing disabled (
Options -Indexes)
by default.
More specifically, I think this should be a server configuration. In production, servers, even shared ones, should (almost) always be set to Options -Indexes
(autoindex off
for nGinx), although in dev there are probably many that prefer to leave it on.
If you are storing sensitive info in a directory with your plugin, you should definitely be adding an index file to it. That way, even if the site is migrated to a server that is set up poorly, the files will still not be browsable.
I'm no security expert, but wouldn't it be smarter for a user who explicitly needs this to add it to their own site rather than enable it for all? A lot of folders are created in wp-content/uploads without index.php, including in my plugins, and this change would require me to explicitly add (and re-check often that a user didn't delete) an index to that folder. Without an index, if the user puts anything of value, it could be exposed to the world. One of my plugins, lets users upload sensitive documents in an employee onboarding process. IDK, this doesn't seem like a great idea, security wise. I'm curious, instead, why you feel this is necessary for all of core instead of something you can add per-site, when needed?
If anything, perhaps some better documentation on this would be helpful.