This is Interesting: Free Magazines for Graphics designers and webmasters
Home > Archive > Webmaster forum > November 2007 > Directory misunderstanding
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Directory misunderstanding
|
|
| Terry 2007-11-21, 10:17 pm |
| I have a file uploader set to load text files above the root directory.
It works. The web pages include the appropriate text file from this
directory. The following piece of code (php) is supposed to list out the
files as links (which it does). The links give a 404.
$open=opendir("../AboveRoot/");
while ($files=readdir($open)){
$filename="../AboveRoot/".$files;
if (is_file($filename)){
$size=filesize("../AboveRoot/$files");
echo "<br><a title=\"$size k\" href=\"../AboveRoot/$files\"
alt=\"$size k\">$files</a>\n";
Why does ../AboveRoot/ work everywhere but the click able links?
--
TK
http://wejuggle2.com/
Still Having a Ball
| |
| Jerry Stuckle 2007-11-21, 10:17 pm |
| Terry wrote:
> I have a file uploader set to load text files above the root directory.
> It works. The web pages include the appropriate text file from this
> directory. The following piece of code (php) is supposed to list out the
> files as links (which it does). The links give a 404.
>
> $open=opendir("../AboveRoot/");
> while ($files=readdir($open)){
> $filename="../AboveRoot/".$files;
> if (is_file($filename)){
> $size=filesize("../AboveRoot/$files");
> echo "<br><a title=\"$size k\" href=\"../AboveRoot/$files\"
> alt=\"$size k\">$files</a>\n";
>
> Why does ../AboveRoot/ work everywhere but the click able links?
>
Because the web server will not allow you to access anything above the
root directory. It's a security issue. Otherwise theoretically they
could access anything on your server.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Fenix 2007-11-21, 10:17 pm |
| Jerry Stuckle wrote:
> Terry wrote:
>
> Because the web server will not allow you to access anything above the
> root directory. It's a security issue. Otherwise theoretically they
> could access anything on your server.
>
Non-sense, It depends upon how the Web server is configured.
Grok this from Apache 2.2
<Directory> and </Directory> are used to enclose a group of directives that
will apply only to the named directory and sub-directories of that
directory. Any directive that is allowed in a directory context may be
used. Directory-path is either the full path to a directory, or a wild-card
string using Unix shell-style matching.
<Directory /srv/www>
Options None
Order deny,allow
Allow from All
</Directory>
<VirtualHost *:80>
ServerName www.domain.tld
ServerAlias domain.tld *.domain.tld
DocumentRoot /srv/www/domain
</VirtualHost>
| |
| Jerry Stuckle 2007-11-22, 3:16 am |
| Fenix wrote:
> Jerry Stuckle wrote:
>
>
> Non-sense, It depends upon how the Web server is configured.
> Grok this from Apache 2.2
>
> <Directory> and </Directory> are used to enclose a group of directives that
> will apply only to the named directory and sub-directories of that
> directory. Any directive that is allowed in a directory context may be
> used. Directory-path is either the full path to a directory, or a wild-card
> string using Unix shell-style matching.
>
> <Directory /srv/www>
> Options None
> Order deny,allow
> Allow from All
> </Directory>
>
> <VirtualHost *:80>
> ServerName www.domain.tld
> ServerAlias domain.tld *.domain.tld
> DocumentRoot /srv/www/domain
> </VirtualHost>
>
>
And Apache will not allow any access under the root directory. The
server will not allow access below /srv/www/domain by default.
Your comment is shit.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
|
| Jerry Stuckle wrote:
> Fenix wrote:
>
> And Apache will not allow any access under the root directory. The
> server will not allow access below /srv/www/domain by default.
>
> Your comment is shit.
>
First I am not going to argue with you. As a lurker here you have the nasty
ability to want to argue with anyone that doesn't agree with you.
If you would just test the above you would see that it works. Apaches user
HAS access to any file that is in the /srv/www directory or a subdirectory
below it. That will allow access to files in /srv/www by Location or CGI.
Do you understand CGI? I think not. I know you don't know Apache
configuration or you would not have replied as you did. There is nothing
sacred about the servers document root. Do you know what the <Location>
configuration is for ?
Apache will return the any file asked for if Apache is miss-configured or
access allowed to the file system that the file resides on. I do it all
the time as I keep my graphics on a file system that is not in any document
root, on a completely different partition. This avoid spyders and such
from indexing the graphics and others from d/l all my graphics en mass but
still allows them to display on the web page. I do it with my MP3 as well.
Have you setup a subversion repository? That is how it is done by Location,
The repos resides in a subdirectory OUTSIDE of the servers Document root.
Good luck to you and please stay ignorant.
| |
| Jerry Stuckle 2007-11-23, 3:28 am |
| Fenix wrote:
> Jerry Stuckle wrote:
>
>
> First I am not going to argue with you. As a lurker here you have the nasty
> ability to want to argue with anyone that doesn't agree with you.
>
I call them like I see them.
> If you would just test the above you would see that it works. Apaches user
> HAS access to any file that is in the /srv/www directory or a subdirectory
> below it. That will allow access to files in /srv/www by Location or CGI.
>
Yes, but that's because you defined a specific directory. This is
completely different than what the op was asking about.
> Do you understand CGI? I think not. I know you don't know Apache
> configuration or you would not have replied as you did. There is nothing
> sacred about the servers document root. Do you know what the <Location>
> configuration is for ?
>
I understand it a hell of a lot better than you do. At least I didn't
throw in some off-topic point.
> Apache will return the any file asked for if Apache is miss-configured or
> access allowed to the file system that the file resides on. I do it all
> the time as I keep my graphics on a file system that is not in any document
> root, on a completely different partition. This avoid spyders and such
> from indexing the graphics and others from d/l all my graphics en mass but
> still allows them to display on the web page. I do it with my MP3 as well.
>
Which stops nothing. Spiders (not spyders!) don't know or care about the
physical location of the file. All they care about is the URI. If you
knew 1/2 as much as you claim, you would understand that.
> Have you setup a subversion repository? That is how it is done by Location,
> The repos resides in a subdirectory OUTSIDE of the servers Document root.
>
Not subversion, but similar. But that's NOT what the op was doing.
> Good luck to you and please stay ignorant.
>
>
Good luck to you, and please don't toss in any more shit unrelated to
the ops question.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
|
| Jerry Stuckle wrote:
> Fenix wrote:
[snip]
Thanks guys, you clarified the problem nicely. Oh, well maybe not
nicely, maybe well ;-)
--
TK
http://wejuggle2.com/
Still Having a Ball
| |
|
| Jerry Stuckle wrote:
[SNIP}
>
> Good luck to you, and please don't toss in any more shit unrelated to
> the ops question.
>
>
What are you the news group cop?
Since this is usenet I will post what I care to post, If you don't like it
you can simply discard the post.
| |
|
| Jerry Stuckle wrote:
[snip]
>
> Which stops nothing. Spiders (not spyders!) don't know or care about the
> physical location of the file. All they care about is the URI. If you
> knew 1/2 as much as you claim, you would understand that.
>
http://software.filefactory.com/Lin...pyder_0-19.html
| |
| Jerry Stuckle 2007-11-23, 3:28 am |
| Fenix wrote:
> Jerry Stuckle wrote:
>
> [SNIP}
>
>
> What are you the news group cop?
>
> Since this is usenet I will post what I care to post, If you don't like it
> you can simply discard the post.
>
>
No, but you've just proven you're an XXXXXXX.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Andy Dingley 2007-11-23, 3:28 am |
| On 21 Nov, 23:23, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Because the web server will not allow you to access anything above the
> root directory. It's a security issue. Otherwise theoretically they
> could access anything on your server.
Most of them (IMHE) _will_ allow you to access things above the web
root (obviously not "root"!) provided that you deliberately configure
them to do so. For typical values of security, this would count as mis-
configuration. However there's nothing hard-coded into the web server
that forbids this: they address the filesystem as anything else does,
and potentially they can get to anywhere around inside it.
To get above the web root you're likely to have to do things (from
what we'd hope would be a sensible default for an intial install):
configure the web server internally to permit this, also configure the
OS to allow the web server's process to access the filesystem outside
its normal environs.
Doing any of this is a bad idea (for typical purposes). However it is
_sometimes_ both useful and necessary. Granting "web access" to
"repositories" is the obvious example.
| |
| Jerry Stuckle 2007-11-23, 3:28 am |
| Andy Dingley wrote:
> On 21 Nov, 23:23, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>
>
> Most of them (IMHE) _will_ allow you to access things above the web
> root (obviously not "root"!) provided that you deliberately configure
> them to do so. For typical values of security, this would count as mis-
> configuration. However there's nothing hard-coded into the web server
> that forbids this: they address the filesystem as anything else does,
> and potentially they can get to anywhere around inside it.
>
> To get above the web root you're likely to have to do things (from
> what we'd hope would be a sensible default for an intial install):
> configure the web server internally to permit this, also configure the
> OS to allow the web server's process to access the filesystem outside
> its normal environs.
>
> Doing any of this is a bad idea (for typical purposes). However it is
> _sometimes_ both useful and necessary. Granting "web access" to
> "repositories" is the obvious example.
>
True - IF YOU CONFIGURE IT SO. But most shared hosts don't have it
configured as such, for good reason.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Andy Dingley 2007-11-23, 3:29 am |
| On 22 Nov, 18:00, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> True - IF YOU CONFIGURE IT SO.
Of course.
Now look at your other posting:
Fenix wrote:
You replied:[color=darkred]
> And Apache will not allow any access under the root directory.
> Your comment is shit.
Now as far as I care to read it, that's you denying the web server
itself will go _anywhere_ outside the web root. Maybe I've mis-read
your post, maybe you've mis-read Fenix. This happens, we _know_ this
happens in an ASCII-only text-bound medium.
Your response was well out of order though, and more typical of your
general responses than a mere one-off.
I'm shopping for DB2 training materials or consultancy at the moment
(for a whole team, so a worthwhile budget). I did consider you, but to
be honest, I didn't fancy the attitude that comes along with it.
You'll probably blame 1001Webs for it, but your attitude _has_ just
cost you money.
| |
| Jerry Stuckle 2007-11-23, 3:29 am |
| Andy Dingley wrote:
> On 22 Nov, 18:00, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>
>
> Of course.
>
>
> Now look at your other posting:
>
> Fenix wrote:
>
> You replied:
>
>
> Now as far as I care to read it, that's you denying the web server
> itself will go _anywhere_ outside the web root. Maybe I've mis-read
> your post, maybe you've mis-read Fenix. This happens, we _know_ this
> happens in an ASCII-only text-bound medium.
>
> Your response was well out of order though, and more typical of your
> general responses than a mere one-off.
>
Not at all. Fenix through a completely different configuration into the
mess, which you echoed. It was not pertinent to the ops situation.
>
> I'm shopping for DB2 training materials or consultancy at the moment
> (for a whole team, so a worthwhile budget). I did consider you, but to
> be honest, I didn't fancy the attitude that comes along with it.
> You'll probably blame 1001Webs for it, but your attitude _has_ just
> cost you money.
>
Not at all. Quite frankly, I doubt you could afford my DB2 courses.
They are geared towards Fortune 1000 companies and are top of the line.
Our customers pay well for our services, but they do it gladly.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Andy Dingley 2007-11-23, 3:29 am |
| On 22 Nov, 18:38, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Not at all. Quite frankly, I doubt you could afford my DB2 courses.
> They are geared towards Fortune 1000 companies and are top of the line.
You don't know who I'm working for. Might not be Fortune 1000, but
they're FTSE 100. This is _DB2_ we're talking about - it's hardly mom
& pop webshop territory!
However your persistent attitude just goes to demonstrate my point. If
you insist on telling me that I can't afford it, I rather doubt that I
would want to buy it from you anyway.
Long time ago, one of my neighbours was shopping for a new car. His
old saloon was OK, but he really wanted an estate. So he went out to
the nearby garage that sold big estate cars, Mercedes Benz as it
happened.
He didn't look like much of a client. Bit scruffy, and a distinct
whiff of the farmyard about him. When he examined the tailgate and
mentioned its proof against piglets, the salesman became rather sniffy
and said more or less what you've just done.
So he got in his _Bentley_ and drove home. I don't believe he ever did
buy a Mercedes, then or ever since. Shame for them really, as he's one
of the richer farmers in the county.
| |
| Jerry Stuckle 2007-11-23, 3:29 am |
| Andy Dingley wrote:
> On 22 Nov, 18:38, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>
>
> You don't know who I'm working for. Might not be Fortune 1000, but
> they're FTSE 100. This is _DB2_ we're talking about - it's hardly mom
> & pop webshop territory!
>
> However your persistent attitude just goes to demonstrate my point. If
> you insist on telling me that I can't afford it, I rather doubt that I
> would want to buy it from you anyway.
>
>
> Long time ago, one of my neighbours was shopping for a new car. His
> old saloon was OK, but he really wanted an estate. So he went out to
> the nearby garage that sold big estate cars, Mercedes Benz as it
> happened.
>
> He didn't look like much of a client. Bit scruffy, and a distinct
> whiff of the farmyard about him. When he examined the tailgate and
> mentioned its proof against piglets, the salesman became rather sniffy
> and said more or less what you've just done.
>
> So he got in his _Bentley_ and drove home. I don't believe he ever did
> buy a Mercedes, then or ever since. Shame for them really, as he's one
> of the richer farmers in the county.
>
Fine. Whatever.
No, I don't know who you work for. But you don't know my courses or
their price, either. And quite frankly, I'm not marketing to you. I've
already got enough work to keep me busier than I care to be.
I'd recommend you go to IBM. Their courses aren't as good as ours, but
are a fair bit cheaper.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Doug Baiter 2007-11-23, 3:29 am |
| On Thu, 22 Nov 2007 13:59:44 -0500, Jerry Stuckle
<jstucklex@attglobal.net> wrote:
>Andy Dingley wrote:
>
>Fine. Whatever.
>
>No, I don't know who you work for. But you don't know my courses or
>their price, either. And quite frankly, I'm not marketing to you. I've
>already got enough work to keep me busier than I care to be.
>
>I'd recommend you go to IBM. Their courses aren't as good as ours, but
>are a fair bit cheaper.
Not to mention that IBM dont have a reputation as a scammer...
| |
| Jerry Stuckle 2007-11-23, 3:29 am |
| Doug Baiter wrote:
> On Thu, 22 Nov 2007 13:59:44 -0500, Jerry Stuckle
> <jstucklex@attglobal.net> wrote:
>
>
> Not to mention that IBM dont have a reputation as a scammer...
>
You should know.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
|
|
|
| | Copyright 2003 - 2008 forum4designers.com Software forum Computer Hardware reviews |
|