HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Allow a subfolder with directory listings

unixherounixhero
edited November 2013 in Vanilla 2.0 - 2.8

Hi
I am trying to have a subfolder in my VANILLA forum root where my users upload files.
The voodoo in apache's redirect escapes me, and I am hoping someone here could help me out.
When I password protect the folder /stuff with a .htaccess file, the .htaccess in the VANILLA root folder kicks in gives a 404 error (fancy Vanilla error message).
The 404 message reads "Page Not Found
The page you were looking for could not be found."

How can I exclude /stuff from that .htaccess catch-all that ships with VANILLA?

Here is my .htaccess file from the rootfolder (the one that comes with Vanilla forums)

RewriteEngine On

# RewriteBase /

RewriteCond %{REQUEST_URI} !^/snax

RewriteCond %{REQUEST_FILENAME} !-d

RewriteCond %{REQUEST_FILENAME} !-f

RewriteRule ^(.*)$ index.php\?p=$1 [QSA,L]

Here is the .htaccess file I have written for /stuff :

DirectoryIndex index.php index.html index.htm

Options +Indexes

AuthType Basic

AuthName "Got stuff"

AuthUserFile "/home/mywebstuff/.htpasswds/snax.passwd"

AuthGroupFile /dev/null

require valid-user

Hope someone would have a pointer...

Tagged:
hgtonightUnderDog

Comments

  • hbfhbf wiki guy? MVP

    Htaccess is hierarchical, sub directory htaccess overides parent, parent overrides server config. So just add an htaccess file to your subfolder which modifies the desired behavior. Don't touch the forum root htaccess.

    hgtonightUnderDog
  • Thanks for your suggestion, but that is precisely what I tried... I placed an extra .htaccess in my subfolder, but when I turn on "AuthType Basic" I'm bein redirected to a VanillaForums404 error message, and when I turn the auth off, I am able to view the indexed folder...

    I guess what I really should try and achieve is to create a Mod_Rewrite rule in the root .htaccess that can exclude every action in the /stuff folder... So far I haven't been able to get that working...

  • R_JR_J Ex-Fanboy Munich Admin

    I've tried your .htaccess with my "uploads" folder and when I access mydomain/uploads I see the directory listing.
    So there is obviously no need to change roots .htaccess.

    Afterwards I've created a "stuff" folder, moved the .htaccess over there and surfing to mydomain/stuff gives me a 403 :-o

    Sorry I have no solution for that, but maybe that will help you figure out what happened on your server


  • x00x00 MVP
    edited November 2013

    vanilla does not try rewrite urls to physical directories and files that are readable. This rule specifiable excludes that

    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    

    -d for directory -f for file, ! meaning not.

    grep is your friend.

    R_JhgtonightUnderDog
  • x00x00 MVP
    edited November 2013

    show us the .htaccess of the subdirectory

    should be something like

    AuthName "Authorisation Required"
    AuthUserFile "/path/to/passwd"
    AuthType Basic
    require valid-user
    ErrorDocument 401 "Authorisation Required"
    

    grep is your friend.

    UnderDog
  • R_JR_J Ex-Fanboy Munich Admin

    @x00 : it is at the end of the initial posting


  • look at the order of AuthType Basic it doesn't go at the top.

    grep is your friend.

    UnderDog
Sign In or Register to comment.