Project

General

Profile

Feature #4592

Automatically generate index.html when creating a directory

Added by Olivier CORRE over 7 years ago. Updated about 7 years ago.

Status:
Feature implemented
Priority:
Normal
Category:
-
Target version:
Start date:
07/04/2012
Due date:
% Done:

100%

Estimated time:
Complexity:
Normal
SCRUM pts - complexity:
?

Description

Woudn't it be safer to generate an index.html when creating a folder? As it is now, any folder created within Chamilo can be easily accessed from a direct URL without logging into the platform.

Associated revisions

Revision 0676d131 (diff)
Added by Yannick Warnier about 7 years ago

New course directories com with an embedded minimal index.html file - refs #4592

History

#1

Updated by Julio Montoya over 7 years ago

  • Status changed from New to Needs more info

Are you talking about the courses/XXX/document/ folder?

If that's the case there's an htaccess in courses/.htaccess that redirects to the chamilo course ...

#2

Updated by Olivier CORRE over 7 years ago

I was actually talking about subfolders created and containd inside courses/XXX/document/. With little observation, one can easily dislay the content of these subfolders. One who has access to a folder in a course thru "Documents", can simply see the name of the course and guess a direct link to a subfolder (name of a folder without space but "_" ).

#3

Updated by Olivier CORRE over 7 years ago

For example, accessing http://yourdomain/courses/XXX/document/any_folder will display any files unprotected and downloadable without even loggin in the platform. Note that this is also true for folders that are inivisble to users within Chamilo. Though more difficult to get the name of the invisible folders, it is still possible for users to guess.

#4

Updated by Julio Montoya over 7 years ago

yeap, I understand that. Did you check your courses/.htaccess file?

You have to have enabled the rewrite Apache2 module in your server, this will fix that problem. Then when accesing to :
http://yourdomain/courses/XXX/document/any_folder

it will redirect to the course document tool and not the apache "file directory" page ...

You can't check the behaviour in this course here:

http://chamilodev.beeznest.com/courses/DEMO/?id_session=0

then if you want to access to a folder:

http://chamilodev.beeznest.com/courses/DEMO/document/session/clases
t

#5

Updated by Olivier CORRE over 7 years ago

Rewrite mod was indeed disabled for a reason I don't understand. In any event, how many people might have the same problem without finding the answer? Will it be worth it adding an extra layer of security with an index.html file?

#6

Updated by Olivier CORRE over 7 years ago

I now have issues with files behind inaccessible to users after enabling rewrite mode in Apache.Mp3 can't be started and Hotpotatoes activities don't display.

#7

Updated by Yannick Warnier over 7 years ago

  • Target version set to 1.9 Beta

I agree that it would be safer to place an empty index.html in each directory. I'm not particularly fanatic about this way, but it would indeed increase the security for a number of our non-experienced sysadmins, and I think it is our role to ensure that we reduce the risk to the minimum, even if we know a secure system should be watched by an experience sysadmin.

Let's put index.html files in new directories. Let's not do that for previous directories. Maybe we can provide a little script that will crawl the courses/ directory and put index.html files everywhere.

These files should not appear in the database, though.

I have written a small PHP script to crawl through a hierarchy and rename files to lowercase. I guess in this case some part of that could be reused: https://github.com/ywarnier/php_lowercase_files/blob/master/lowercase_all.php

#8

Updated by Laurent Opprecht over 7 years ago

Was wondering whether we could start using index.php for new tools instead of the current convention tool/tool.php. The current convention is a bit confusing for newbies as you expect index to be your starting point.

On another topic I was wondering if we could add a script? folder somewhere and start adding useful scripts there such as to_lower case, etc? If calling that on a production environment is a concern I usually do the following:

- I add the script in a class - so it's not possible to call it by navigating to the url.
- I add a line checking the current server is in test mode.

I have a few scripts myself that I could add there.

#9

Updated by Yannick Warnier about 7 years ago

  • Status changed from Needs more info to Feature implemented
  • Assignee set to Yannick Warnier
  • % Done changed from 0 to 100

I have added the auto index.html creation for the default course directories.

Laurent, for the scripts, you can use main/cron/ (you'll find a bunch of scripts there already).

Closing (we need to finish this beta, now)

Also available in: Atom PDF