Hide the image directories with .htaccess #1268

New Issue

Closed

opened 2026-02-05 00:27:18 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-05 00:27:18 +03:00

Owner

Copy Link

Originally created by @davidtessier on GitHub (Jul 23, 2019).

Originally assigned to: @ssddanbrown on GitHub.

Describe the bug
The way the .htaccess file is now, if a user inspects an image, and learns its URL path, they can easily remove the image name from the URL path, and then they will see the image directory and have access to click on any picture they otherwise might not have access to.

Steps To Reproduce
Steps to reproduce the behaviour:

1. Using your browser, inspect any image associated with a page to learn its URL.
2. Remove the image name from the end of the URL
3. You should see the image directory.

Expected behaviour
I don't believe users should be able to see the list of files in the directories.

Screenshots

People can currently see the image directory

After adding in -Indexes to the Options line in .htaccess

Possible solution?
Add -Indexes to the .htaccess file. Direct URL paths to image names still work, but users don't have access to see the list of file names.

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews 
    </IfModule>

    Options -Indexes

    RewriteEngine On

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)/$ /$1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

Your Configuration (please complete the following information):

• BookStack v0.26.3
• PHP Version: 7.2.19
• Apache 2.4.29
• Ubuntu 18.04

Originally created by @davidtessier on GitHub (Jul 23, 2019). Originally assigned to: @ssddanbrown on GitHub. **Describe the bug** The way the [.htaccess](https://github.com/BookStackApp/BookStack/blob/master/public/.htaccess) file is now, if a user inspects an image, and learns its URL path, they can easily remove the image name from the URL path, and then they will see the image directory and have access to click on any picture they otherwise might not have access to. **Steps To Reproduce** Steps to reproduce the behaviour: 1. Using your browser, inspect any image associated with a page to learn its URL. 2. Remove the image name from the end of the URL 3. You should see the image directory. **Expected behaviour** I don't believe users should be able to see the list of files in the directories. **Screenshots** **People can currently see the image directory**  **After adding in `-Indexes` to the Options line in .htaccess**  **Possible solution?** Add -Indexes to the[ .htaccess](https://github.com/BookStackApp/BookStack/blob/master/public/.htaccess) file. Direct URL paths to image names still work, but users don't have access to see the list of file names. ``` <IfModule mod_rewrite.c> <IfModule mod_negotiation.c> Options -MultiViews </IfModule> Options -Indexes RewriteEngine On # Redirect Trailing Slashes If Not A Folder... RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)/$ /$1 [L,R=301] # Handle Front Controller... RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^ index.php [L] </IfModule> ``` **Your Configuration (please complete the following information):** - BookStack v0.26.3 - PHP Version: 7.2.19 - Apache 2.4.29 - Ubuntu 18.04

OVERLORD added the 🚀 Priority🔒 Security labels 2026-02-05 00:27:18 +03:00

OVERLORD closed this issue 2026-02-05 00:27:21 +03:00

OVERLORD commented 2026-02-05 00:27:25 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 3, 2019):

Thanks for raising @davidtessier, Totally agree.

To be honest, I thought that indexes were currently hidden by realised that's only the behaviour of our install scripts, not the supplied .htaccess files themselves. Have marked for next release so it's not forgotten.

@ssddanbrown commented on GitHub (Aug 3, 2019): Thanks for raising @davidtessier, Totally agree. To be honest, I thought that indexes were currently hidden by realised that's only the behaviour of our install scripts, not the supplied `.htaccess` files themselves. Have marked for next release so it's not forgotten.

OVERLORD commented 2026-02-05 00:27:29 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 7, 2019):

I have just deployed v0.26.4 which includes rules to prevent indexes for apache instances that read htaccess files.

@ssddanbrown commented on GitHub (Aug 7, 2019): I have just deployed [v0.26.4](https://github.com/BookStackApp/BookStack/releases/tag/v0.26.4) which includes rules to prevent indexes for apache instances that read htaccess files.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🔒 Security 🚀 Priority

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1268