Mike Hommey wrote: > On Thu, Nov 02, 2006 at 03:32:39PM +0100, Bastian Venthur <[EMAIL PROTECTED]> > wrote: > DirectoryIndex tells apache which file(s) it may use when the url points > to a directory, instead of creating an index of the directory itself, if > allowed to. > > The default value for DirectoryIndex is index.html, which > obviously forgets index.php. But that doesn't mean index.php will be > readable as source. It only means that the auto index will be displayed > if no index.html is present and if allowed to.
Is this upstreams default or our? I mean I just cannot imagine that apache ignores index.php files by default. > > Auto-indexes are enabled only in /var/www/apache2-default and > /usr/share/apache2/icons by default, so it is not likely to leak any > unexpected file list. > But on the other side, isn't it quite usual to have an index.php in some dir, say /var/www/ while the document root of your domain just points to /var/www? In this case the whole directory structure is visible to every user including the the file index.php itself. > So no, that doesn't grant an RC bug for these reasons. > > On the other hand, it breaks configurations that used to work... (sites > relying on this index.php setting will get 403 errors after upgrade from > 2.0) So, was the change intentional or just a mistake? Bastian -- Bastian Venthur http://venthur.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
