emikulic
commented
1 year ago I'm not super keen on this. I'd recommend not putting files-you-dont-want-to-serve inside the wwwroot, or use a production webserver with .htaccess style functionality.
Closed TurtleWilly closed 8 months ago
emikulic
commented
1 year ago I'm not super keen on this. I'd recommend not putting files-you-dont-want-to-serve inside the wwwroot, or use a production webserver with .htaccess style functionality.
TurtleWilly
commented
1 year ago The problem here it's not exactly the choice of the user. It's the OS doing this. F.ex. you delete a .DS_Store file, few seconds later the Finder recreates them (pretty much any directory the user browses to with the desktop environment has a .DS_Store). That's how I noticed when I quickly shared a folder here via darkhttpd. Had to share/serve the .DS_Store too (I didn't want to 😁 )
AFAIR there were multiple related CVEs to Apple-specific issues in Apache httpd like that years ago, which then lead to that Apache configuration kludges, see my above link (e.g. it needs to block the file case-insensitively too).
Resource forks are a similar weird legacy feature of macOS and/or its filesystem, and any random file can have it, and the system is not very transparent about it to the user. This is not like normal files, it's like a parallel file in a second dimension. It gets more rare these day, but they still can pop up.
emikulic
commented
8 months ago I'm sorry, but I don't want to introduce filtering functionality.
macOS can have some really weird special files, unlike other Posix-alike operating systems. Those special files probably should be filtered from generated directory listings and direct access for security reasons.
What comes to mind:
.DS_Store (cluttered everywhere, and quickly come back once deleted)
custom directory icon files ('Icon\r' <- Yes, that's a carriage return in the filename)
Resource forks (do not allow access to any file with the name 'rsrc')
Named/resource forks: ('filename/..namedfork/*' -> do not allow access to any directory with the name '..namedfork')
Some References: https://github.com/apple-open-source/macos/blob/master/apache/patches/PR-16019492.diff https://stackoverflow.com/questions/66620681/does-apfs-actually-support-named-forks-or-just-resource-forks-and-extended-attri https://en.wikipedia.org/wiki/Resource_fork#How_a_resource_fork_is_accessed
Side Note: maybe all dot files should be filtered by default? Could be an option.