If an attacker guesses the path a -Indexes directive won’t stop him from requesting the directory from the server. It should return a 403 if there’s no index.html, but perhaps there are servers out there that fail, or perhaps the web design folks think that a blank page is better than a 403.
Of course it’s also possible that the practice got going before -Indexes was added and never went away, or that since .htaccess is an Apache thing it’s not sufficiently general (nginx seems to require per-directory config of its autoindex module in its config file, no idea about IIS). Regards, John Ralls > On Sep 14, 2018, at 9:13 PM, Adrien Monteleone > <adrien.montele...@lusfiber.net> wrote: > > Interesting. I’ll investigate. I’ve never had an issue that I’m aware of. If > the server won’t even let you get there due to the directive...? > > Regards, > Adrien > >> On Sep 14, 2018, at 5:38 PM, John Ralls <jra...@ceridwen.us> wrote: >> >> It's my understanding that that's less than perfect. It's standard practice >> in the the CMS world to put poisoned index.html files in directories where >> you don't want browsers poking their noses. >> >> Regards, >> John Ralls > > > _______________________________________________ > gnucash-devel mailing list > gnucash-devel@gnucash.org > https://lists.gnucash.org/mailman/listinfo/gnucash-devel _______________________________________________ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
