[CWB] Upgrade of CQPweb server
Stefan Fischer
stefan.fischer at uni-saarland.de
Wed Nov 19 18:01:47 CET 2025
Hi Andrew,
>> usr/31/index.php
>> usr/4a/index.php
>> ...
>>
>> Do they serve a purpose? They all contain the same line of code:
>> <?php exit(1);
> Short explanation: It's a security plug.
That's good to know. I was concerned that there might be a problem with the user database as the number of files and their creation dates looked random.
> Long explanation:
>
> This directory structure is how user-installed corpora are accessed. The system of directory naming (reflected in the URL) is
>
> ... / usr / (hex code of first byte of username) / (username) / (underscore then base-36 ID of corpus)
>
> (why split the accounts up according to first byte? cos I have 40,000+ user accounts on my server)
>
> By default, if a browser accesses a folder, Apache EITHER serves up the "index.html~php~whatever", if there is one, OR otherwise prints the directory's content list.
>
> Therefore, making the byte-code directories (and user directories) content-listable over the web would expose usernames (plus the number of corpora each user has installed).
>
> Having an index.php file that runs but produces nothing - ie "<?php exit(1);" - blocks Apache from serving the folder list. Anyone poking around just gets a blank page.
>
> So whenever one of these folders is created (by a user installing a corpus), it's given such an index.php file.
>
> It's probably better in some abstract sense to fix these issues via Apache config, etc. but that would need to be set up by every server admin separately (and procedure would be different for every web daemon). This way doesn't have that issue.
Thanks for the detailed explanation and for making administration easier for us by implementing these clever features.
Best,
Stefan
More information about the CWB
mailing list