Hi
I have got running Apache (2.4) as a web server.
My question is about /Desktop folder. Normally in Dolphin it is seen as any other problem. For example /home/myprofile/Desktop/ is the same as /home/myprofile/Pictures What I mean I can access them with command line.
But… if I want to access Desktop via web server I can’t. Of course I have created a link to my home folder.
I can access ALL folders in my home directory EXCEPT Desktop. I’m talking about web server http://localhost/~myprofile from where I have access to my folders.
Everything works fine with ~ (tilde). Every single path, every single catalogue/folder
I can open every single document, picture, movie, pdf, etc. I can opne, download.
The problem is only with Desktop folder. I can’t access it.
Even in Dolphin it has different icon.
If the tilde works, it might only work when the URL points to localhost, but even so I’d question that should be working…
I’d consider it a serious security issue if a website’s virtual directory can reference anything outside of the virtual directory root, even pointing to localhost.
In general,
website virtual directories should only be able to support hard paths relative to the root of the virtual directory.
So, I guess the following questions…
How did you configure your website to point to your User’s home folder? - Did you configure a virtual directory (as you should) or did you do something else like describe a hard path like /home/username ?
Can you give any real examples of working URLs to your home directory plus the actual to Desktop which you say isn’t working?
Dolphin is an installed application which should behave differently than a website.
Dolphin has direct access to the system’s file system and only <supports by extension> accessing “places” by various paths which include URI/URLs.
A website in contrast should never have direct access to the system’s file system and <only> access resources “virtually” which would then be subject to a combination of file system permissions, virtual directory permissions and website-configured paths.
Thanks for your post.
Now, you are asking hard questions about things I did in the past.
I set up Apache I guess 8 years ago and it was configured to work with localhost as well. And it was working only with /srv/www/ directory, as you mentioned.
Then I discovered I can also see and use my folder in home directory called /home/boguslaw/public_html/ for testing my created websites (simple html websites).
Access to it is through localhost/~boguslaw as you well know.
So I thought - hey, I can have access to all my documents.
I created “Basic link to file or directory” in /home/boguslaw/public_html/ called “files” pointing to /home/boguslaw/
So with that I have access (via web browser) to all my documents in my home directory.
Except /Desktop folder. Sometimes I have some files in that folder and I discovered that I cannot go to that directory in my browser.
I repeat - every single directory in my /home works. The only exception is /Desktop folder.
No matter what I do I can’t go there. It is not listed in the browser; direct path localhost/~boguslaw/Desktop says “Object not found! Error 404”.
I even tried to create another link pointing directly to /home/boguslaw/Desktop with no avail.
It is not that I cannot live without this. I can always move those files from Desktop to somewhere else and have access to them.
But I just wonder what is strange about Desktop.
So maybe I should ask - Is “Desktop” really a folder?
By default it has different icon. Even when I create a link to Desktop folder, it also has a different icon. Try it by yourself.
I don’t usually use Dolphin because practically all the openSUSE I manage either use a different or no Desktop.
Desktop is by default an actual sub-directory of the home directory, not any different than Documents, Downloads, etc.
My guess is that you’ve run into a security flaw, the only way to pinpoint what is happening is to look at your specific setup, how you configure your Apache website and your webpage code.
You should be able to open files directly in your web browser with something like the following in your URL
file://~/Downloads
but should not be able to open something like the following
http://localhost/~/Downloads
The first example is a browser accessing the local file system directly without going through a website, is real physical access(permitted).
The second example is a browser accessing a file served through a website, and that access should be blocked.
So, if your webpage code for instance served the following, it should be able to display the contents of your local Desktop. Although the page is served by the website, the code tells the browser to not use the website for file access.