The Dreamhost Wayback Machine

I just noticed an interesting "feature" here. The .snapshot directories are apparently accessible from the web. As an example, my homepage from a week ago is here:

http://www.askew.net/.snapshot/weekly.1/index.htm

I could see this as a problem if, say, you fixed a security bug in a php page. The old page w/ the faulty code would remain accessible for up to two weeks. The same would go for changes to .htaccess.

Speaking of .htaccess, could that provide a mechanism to block access to the .snapshot path? I'm not an apache expert, but maybe someone else knows: Can .htaccess block traversal? IOW, assuming htaccess will do the job, can I simply modify the one in my root, or would I need to put one in all subdirs (and wait for two weeks for it to propagate to all .snapshot dirs)?

Hmmm. I think it would be better if the snapshot directories were moved out of the world-accessible space completely. I'd prefer to see a path like:

/home/username/snapshots/domain.com/.snapshot/weekly.1/

-- si-blog --

Dammit, never tried that. It's definitely something we don't need.

I thought scjessey was our .htaccess wizard. Maybe someone can whip something up that'll block the snapshot directories.

It'd be even nicer if DreamHost found a way to block this in the apache config file.

-Scott

This works (sends back a 403 to the client) if placed in the .htaccess:


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule \.snapshot/?.+$ - [F]
</IfModule>



I'm not an mod_rewrite expert ... feel free to correct me.

Jan

Improved version, also blocks access to /subdirectory/.snapshot:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.snapshot/?.+$ - [F]
</IfModule>

Jan

Excellent - I'll add that in my .htaccess.

Perhaps DH could address this by adding a default .htaccess to all new websites (or even pushing the setting to existing sites). That way, we can remove this and allow snapshot access if desired. I think this could be a cool feature to have in a few specialty applications.

I can submit a suggestion - what do you all think? Add .htaccess for new websites? Push to all existing as well? Or should this potentially useful feature just be obliterated (hint of bias is entirely unintended ;-) ).

It'd be better if DreamHost doesn't mess with .htaccess in our domain folders.

I just can't think of a good reason to make snapshots available through the webserver. Snapshot directories are not under our control. I'd rather there be a suggestion to make a global Apache setting that doesn't serve .snapshot directories.

-Scott

looks like they made this change — .snapshot was accessible on my sites yesterday, but not today. i haven’t updated my .htaccess to block them.

track7 - my dream-hosted site

No, it still works for me when I'm not using my rewrite code...

Jan

nevermind -- i was getting a 403 due to there being no index file directly within .snapshot. i'm now using this rule to handle it:

RewriteRule \.snapshot/ - [F]

track7 - my dream-hosted site

In reply to:

---

RewriteRule \.snapshot/ - [F]

---

Your rule will only redirect the listing of .snapshot/, not .snapshot and not .snapshot/weekly.0/index.html for example.

Jan

Looks like some sites were not configured correctly, it will take a bit to reconfigure them, but it will stop working over time as new configs go out.

My fingers are crossed. For now, this still returns a listing:
http://www.mydomain.com/somedirectory/.snapshot/hourly.1/


-Scott

yep, that is what this thread is about. good recap though! ;)