More a web server security question.
Is it possible for someone to "probe" into a folder on a web server, even if an index file is in place?
I assume they can't, but if I wanted to store .pdf applications as random names (93fe3509edif094.pdf开发者_JS百科) I want to make sure there's no way to list all the pdfs in the folder.
Thank you.
Just disable the directory listing in your web server
Generally, no. Instead of creating an "index" file, you may also unset the apache "Options Indexes"
Generally speaking, no. Especially if you explicitly turn off the directory listing for that specific directory.
<Directory /path/to/directory>
Options -Indexes
</Directory>
Source: http://httpd.apache.org/docs/1.3/misc/FAQ.html
However, you should be securing files through some sort of authentication process rather than just file names. What you propose can be found by simply brute forcing the file name. Also, people can share URLs, folks can sniff and find the URL, etc. Use a better method.
Web servers have a setting that controls whether or not the directory listing can be browsed. Apache's is called Options Indexes:
Indexes If a URL which maps to a directory is requested, and the there is no DirectoryIndex (e.g., index.html) in that directory, then the server will return a formatted listing of the directory.
However, if anyone knows the URL in advance, or can easily guess the filename, they can still load the pdf.
Depends on the server. The server always decides what the client may and may not see. In your case, Apache, see Mitro's answer.
精彩评论