Thanks for the background. I wasn’t thinking of the case of other types of servers, as I so far only deal with Apache.
> On Sep 15, 2018, at 9:28 AM, John Ralls <jra...@ceridwen.us> wrote: > > If an attacker guesses the path a -Indexes directive won’t stop him from > requesting the directory from the server. It should return a 403 if there’s > no index.html, but perhaps there are servers out there that fail, or perhaps > the web design folks think that a blank page is better than a 403. > > Of course it’s also possible that the practice got going before -Indexes was > added and never went away, or that since .htaccess is an Apache thing it’s > not sufficiently general (nginx seems to require per-directory config of its > autoindex module in its config file, no idea about IIS). > > Regards, > John Ralls > > >> On Sep 14, 2018, at 9:13 PM, Adrien Monteleone >> <adrien.montele...@lusfiber.net> wrote: >> >> Interesting. I’ll investigate. I’ve never had an issue that I’m aware of. If >> the server won’t even let you get there due to the directive...? >> >> Regards, >> Adrien >> >>> On Sep 14, 2018, at 5:38 PM, John Ralls <jra...@ceridwen.us> wrote: >>> >>> It's my understanding that that's less than perfect. It's standard practice >>> in the the CMS world to put poisoned index.html files in directories where >>> you don't want browsers poking their noses. >>> >>> Regards, >>> John Ralls >> >> >> _______________________________________________ >> gnucash-devel mailing list >> gnucash-devel@gnucash.org >> https://lists.gnucash.org/mailman/listinfo/gnucash-devel > > _______________________________________________ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
