By newdru on

If i type in the following path in a browser (assuming my drupal site lives in a directory called 'drupal' under document root):

/drupal/modules

A file listing of the modules directory is displayed!

The same default behavior occurs for any other subdirectory of the drupal root directory:

e.g.
/drupal/sites/
/drupal/files
..
..
etc.

I looked at my .htaccess file (the stock one that ships with the install) and it looks like that behavior IS drupal's DEFAULT behavior:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

where if the file IS a directory or a file (e.g. NOT a drupal menu path), then it is NOT rewritten and thus avaialable for viewing.

Is this supposed to be drupal's default behavior?!

If so what's the most bulletproof approach to disabling viewing of subdirectories in a drupal site?

thanks in advance

Categories: Drupal 4.7.x

Comments

dami’s picture

dami commented

Isn't there a line "Options -Indexes" preventing index listing of directories?

newdru’s picture

newdru commented

-Indexes does exist and it's at the top of my .htacess...

But it doesn't seem to be working!?

fwiw, I just moved a working drupal site on a windows box to a linux box.

The .htaccess files are identical.

On the windows box, subdirs are NOT displayed which means that -Indexes is working as prescribed in .htacess.

However, on the linux box, -Indexes appears to not bei set or is being overridden elsewhere. It would seem to be that something in httpd.conf on the linux box must be changing something. But it's not popping out at me???

hmmm? I'll have to check some more..

If anybody has some ideas, pass em on please.

thanks for your input.

linweb’s picture

linweb commented

Just a thought but some linux setups default to 

<directory />
allowoverides none
</directory>

Not sure of your setup but you could try adding something like 'AllowOverides options' to httpd.conf. Unfortunately this would also allow users to turn things like ExecCGI on, which you may not want for security reasons.

Without looking it up I'm not sure if the following is correct but you could give it a try.

<Directory />
AllowOverides indexes
Options -indexes
</Directory>

As always if you didnt want this for all sites you could simply place this in a <VirtualHost>

--
ncweb

newdru’s picture

newdru commented

WAS that the httpd.conf on the new linux server did not allow any overrides by the drupal base directory but DID enable Options Indexes.

thanks for the help