Forum

I have having trouble getting Hiawatha to read "hidden" directories (directories that begin with a dot). For example, Hiawatha (v7.3) doesn't read files from directories named '.llgal'? (lllgal is a gallery generator that puts thumbnails in .llgal directories).

Is there a configuration setting that allows "hidden" directories to be read?

Thanks Hugo for developing such an excellent web server!

Hiawatha version: 7.3
Operating System: FreeBSD 8

The developer of llgal should have known better than. Directories starting with a dot are meant to be hidden. That's why Hiawatha will not show them. Some security things depend on it, like .htaccess files not being readable.

There is no and there will never be a setting that allows hidden directories to be read. I advice you to address this issue to the llgal developer.

Hi Hugo

Thanks for the prompt response. It's reassuring to know that you place such a high priority on security (apache happily reads "hidden" directories -- another reason to avoid apache). I will take this issue up with the llgal developer.

BH

Apache lets you read files from hidden directories??? Whoaw... that's... not good...

@Hugo: I am the llgal developer and I am well aware of files starting with a dot being hidden. That's exactly why I kept the existing convention of putting llgal files inside the .llgal directory (this convention is used in other programs, including one I derived llgal from). I don't want this strange directory to mess up the main directory contents. The point you seem to be missing is that "hidden" doesn't mean "unreadable". Otherwise, both would be the same word.

@bh: if you still want to use Hiawatha, you might want to use the local_llgal_dir variable to change .llgal into something else. See the manpage of llgalrc.

Cheers.

@Brice: I'm definity not missing a point. In Unix, files and directories start with a dot are meant to be hidden. Hidden as in: they are there, but you can't see them. That's why Hiawatha returns a 404 (not found) when requesting a file or directory starting with a dot and not a 403 (forbidden).

And it doesn't matter if Apache does it otherwise. Apache doesn't define the standards and Apache has some more things implemented not according to the standards. It's up to you to develop an Apache-only webapplication or one according to the official standards.

Which official standards say that hidden files are unreadable?

In Unix operating systems, files starting with a dot are hidden and are mostly used to store configuration data (http://en.wikipedia.org/wiki/Dot_files). Since every Unix operating system does that, makes it pretty much the standard. Since configuration data is often sensitive information (even Apaches uses a dotfile: .htaccess), it's common sence to hide that file from the outside world. And to hide means: don't show it to others, pretend it's not there. Which is the same as don't make it readable. Allowing dotfiles to be read via a webserver sounds like a serious security issue to me.

You were talking about "official standards" and now you cite Wikipedia, nice try

Yes, dotfiles being hidden may be considered an official standard. But Unix operating system certainly do not confuse hidden (dotfiles) with unreadable (chmod). Those attributes are unrelated in Unix. Your "standard" does not apply to being unreadable.

You know what you should do: keep on ignoring security and make dotfiles readable for every visitor.