[Rd] linking to package directories broken in R >= 2.10 beta

Duncan Murdoch murdoch at stats.uwo.ca
Sun Oct 18 22:28:52 CEST 2009 

On 17/10/2009 1:57 PM, Thomas Petzoldt wrote:
> Duncan Murdoch wrote:
>> Thomas Petzoldt wrote:
> 
> [...]
> 
>>> This is fine, but in contrast to older versions (<= 2.9.2) no 
>>> automatic index is created for the linked directory, so we now get:
>>>
>>>
>>> "URL /library/foo/examples/ was not found"
>>>
>>> but linking to *individual files* (e.g. examples/example.R) works as
>>> expected. We can, of course, add manually maintained index files
>>> but I would much prefer if a default index would be created for the
>>> directory if no index.html is found.
>>>
>> By "index" in R <= 2.9.2, you mean the default directory listing 
>> produced by the web server, rather than something produced by R, 
>> right?
> 
> Yes, I mean the default directory listing produced by (most) web servers.
> 
>> The R server does that now if the directory is named "doc", but not 
>> for an arbitrary path. We are concerned about security: any user on 
>> your system who can guess your port number can access your help 
>> system, so we want to be sure that such users can't access private 
>> files.
> 
> 
> Hmm, I see and have some tendency to understand that this may be an 
> issue for certain multi-user systems. Looking into the svn log (and 
> compiling R) it appears that the remaining possibilities where also 
> regarded as security issue and are now locked down too.
> 
> Well, I'm not yet completely convinced that this was a good idea.
> 
> 1) It does not completely solve security issues; what is so different
> between the library/foo/doc and library/foo/examples ???

The doc directory is known to be visible.  It might surprise someone if 
arbitrary directories were visible, and readable by any user.

> 2) The change will introduce additional work for package authors
> that used internal links within their packages. I can, of course,
> reorganize everything below doc, e.g. /library/foo/doc/examples ... but
> this means that these things are even more hidden.

Why would someone know to look in .../examples?  Just update whatever 
hint you gave them to look there, and tell them to look in 
.../doc/examples instead.  I don't think it's likely that most people 
would discover either directory without a hint somewhere.  If they were 
looking for examples, they'd look in the documented places, the Examples 
section of man pages, or in the vignettes.

> 3) However, according to the changed R-Exts, it was obviously decided
> that this was necessary, so *I* will do the required reorganization.

I think it was not so much a decision that this was necessary, as that 
it was prudent.

Duncan Murdoch

> 
> I hope that other package authors accept this change of the rules too.
> 
> Nevertheless, thank you very much for the new help system.
> 
> Thomas P.
> 
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel

More information about the R-devel mailing list