Issue #76: Disable directory listings for attachments.

2024-12-13 02:10:49 +01:00 · 2009-07-15 22:58:57 +00:00 · 2009-07-15 22:58:57 +00:00 · b8f13a12a8
commit b8f13a12a8
parent 445fb6d0eb
1 changed files with 16 additions and 2 deletions
--- a/18
+++ b/18
@ -114,11 +114,25 @@ the current version of Jutda Helpdesk working.
     (substitute www-data for the user / group that your web server runs
      as, eg 'apache' or 'httpd')

-    If all else fails ensure all users can write to it:
+   If all else fails ensure all users can write to it:

    chmod 777 attachments/

-    This is NOT recommended, especially if you're on a shared server.
+   This is NOT recommended, especially if you're on a shared server.
+
+8. Ensure that your 'attachments' folder has directory listings turned off, 
+   to ensure users don't download files that they are not specifically linked 
+   to from their tickets.
+
+   If you are using Apache, put a .htaccess file in the 'attachments' folder 
+   with the following content:
+
+    Options -Indexes
+
+   You will also have to make sure that .htaccess files aren't being ignored.
+
+   Ideally, accessing http://MEDIA_URL/helpdesk/attachments/ will give you a 
+   403 access denied error.

 #########################
 5. Initial Configuration