Doesn't block access to files

  • The plugin blocks browser navigation to a directory, but not to the files within it. If an attacker knows the asset’s filename, he can still view and download it. Makes this plugin useless to me and I think to pretty much anyone, since a filename can be viewed in the source anytime it’s embedded in a user-facing view.

Viewing 5 replies - 1 through 5 (of 5 total)

  • The plugin is called “WP safely disable directory browsing“. I don’t even have to install it to find out that this plugin does exactly what it intends to do, you said yourself. The problem is that you’ve just decided that this plugin should do more, even if its basic documentation makes clear that it does not.

    Read first, complain later.

    Do we have a deal?

    Thread Starter ichthala

    (@ichthala)

    The plugin is called “WP safely disable directory browsing”. That includes the words “safe” and “browsing.” I think it’s pretty fair to assume that “disable directory browsing” implies “disable browsing to an entire directory, including the files within it, because those are the resources that actually matter.” If you can access a file via its URL in your browser, that is browsing. If an unauthenticated user can access sensitive files, that is not safe. The plugin’s description claims that it will “improve the security of your wordpress blog” when in fact it does nothing of the sort. But it would be easy for a user that is not particularly knowledgeable to overlook this fact.

    And by the way, you could have easily written that post without being a dick, but you didn’t. Let’s make the world a better place by not being assholes to strangers on the Internet. Do we have a deal?

    Let’s talk about not being a dick and making the world a better place. You could start by forking the project code into a better one, actually implementing the behavior you need. That would be a contribution. Placing low ratings on plugins (coded by a volunteer btw) because they don’t do things they don’t even intend, it is not.

    Thread Starter ichthala

    (@ichthala)

    Well I agree with you on that point.

    Thanks for this review, ichthala.

    I found a link to this plugin from another WP support page that suggested it would “restrict access to my wp-content/uploads directory.”

    As an end user of WP plugins, I find these kinds of reviews to be the quickest and easiest way to discover what a plugin will not do.

    As much as I appreciate the volunteer labor involved in developing plugins like this, accusing reviewers of “being a dick” for pointing out what a plugin does not do is crass and unhelpful.

    The links on the Description and Support tabs for this plugin are dead, so this seems to be the only place to find helpful information about what it will and will not actually do.

    Navigating the WP plugin repository is already time-consuming and often leads to frustration. Beating up on those reviewers offering constructive feedback just makes it even worse.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Doesn't block access to files’ is closed to new replies.