On Tuesday 02:10 PM 8/19/2008, Jeff Rogers wrote:
A default configuration change was suggested which seems generally viewed as undesirable.
My impression was that support was split about evenly, actually. I take it that means you're against changing the default? I'm a bit surprised, since you started out agreeing that it's a bug. Personally I can't imagine any persuasive argument that a caching mechanism that can easily confuse /usr/local/private/var/rootpass and /var/tmp/verisign/certs/webcert.txt should be enabled by default in a web server.
For anyone thinking, well, you're the only one who's ever seen this bug, I'd say no, we're just the first ones to discover this bug. It's quite possible that other people have run into it without knowing it, since AOLserver will just silently serve the wrong data.
As for what I want, as I said, I was mainly bringing this up to shine a light on the issue and see what other people's thoughts were. That's been helpful in particular because I hadn't considered the security implications, which are quite serious; I may raise this issue on security forums as well so that people using ns_returnfile are aware of the danger of silent data corruption and/or information leaks and can review their code accordingly.
- John -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
