Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#42917 closed feature request (duplicate)

Add in htaccess

Reported by: gabrielmasson's profile gabrielmasson Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.9.1
Component: Security Keywords:
Focuses: Cc:

Description

Add in the htaccess the excerpt:

Options -Indexes

so we do not have problems with displaying the folders without index

Change History (8)

#1 follow-up: @jeremyescott
7 years ago

I'm no security expert, but wouldn't it be smarter for a user who explicitly needs this to add it to their own site rather than enable it for all? A lot of folders are created in wp-content/uploads without index.php, including in my plugins, and this change would require me to explicitly add (and re-check often that a user didn't delete) an index to that folder. Without an index, if the user puts anything of value, it could be exposed to the world. One of my plugins, lets users upload sensitive documents in an employee onboarding process. IDK, this doesn't seem like a great idea, security wise. I'm curious, instead, why you feel this is necessary for all of core instead of something you can add per-site, when needed?

If anything, perhaps some better documentation on this would be helpful.

#2 in reply to: ↑ 1 ; follow-ups: @joostdevalk
7 years ago

  • Component changed from General to Security
  • Focuses performance removed

Replying to jeremyescott:

This:

Options -Indexes

Would disable listings, not enable them, for that the - would have to be a +. I think this change would be a security improvement, but am curious to know why this hasn't been already done. Perhaps @aaroncampbell knows?

#3 in reply to: ↑ 2 ; follow-up: @jeremyescott
7 years ago

Replying to joostdevalk:

Anecdote, but:

Long story, customer needs to put some publicly accessible JSON files so his game app can read info about in-app purchase options. So he made a folder in his WP directory /steam/game-name/ and put a file called game-name-iap.json in it. He then, from within his game, tried to CURL into /steam, which failed 403 Forbidden, /steam/game-name, which failed, 403 Forbidden, and finally called me for help.

Those folders didn't have an index, so if I understand the original report, that folder should be readable, right? It wasn't. But, after I advised him to CURL directly into the file from the full path, so /steam/game-name/game-name-iap.json, he could read the file.

So is this a problem, or is this an enhancement that extends already present security?

#4 @swissspidy
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

As stated multiple times by people in previous discussions, this is something that should be handled at the server level. See #18546, #36177 and #17601 for examples.

#5 in reply to: ↑ 3 @SergeyBiryukov
7 years ago

Replying to jeremyescott:

Those folders didn't have an index, so if I understand the original report, that folder should be readable, right? It wasn't.

It's likely that your server already has directory listing disabled (Options -Indexes) by default.

#6 @gabrielmasson
7 years ago

  • Severity changed from normal to critical

But if it is a shared server, like most of my clients, they usually do not have the option and keep the directories without index for free access, this is a big problem for small sites, of which we have to manually correct every installation.

#7 @swissspidy
7 years ago

  • Severity changed from critical to normal

#8 in reply to: ↑ 2 @aaroncampbell
7 years ago

Replying to joostdevalk:

I think this change would be a security improvement, but am curious to know why this hasn't been already done. Perhaps @aaroncampbell knows?

I tend to agree with Sergey:

It's likely that your server already has directory listing disabled (Options -Indexes) by default.

More specifically, I think this should be a server configuration. In production, servers, even shared ones, should (almost) always be set to Options -Indexes (autoindex off for nGinx), although in dev there are probably many that prefer to leave it on.

If you are storing sensitive info in a directory with your plugin, you should definitely be adding an index file to it. That way, even if the site is migrated to a server that is set up poorly, the files will still not be browsable.

Note: See TracTickets for help on using tickets.