John, This isn't a democracy. You have to demonstrate some understanding of how things work.
The only real security issue is your misuse/abuse of ns_returnfile to serve dynamic data. Nobody is going to guarantee that you can't shoot yourself in the foot due to your lack of understanding of writing robust code, or how to configure and maintain a secure internet application, or take advice on how to do so. But please, go tell the security police about our insecure file commands. tom jackson On Tue, 2008-08-19 at 15:33 -0700, John Caruso wrote: > On Tuesday 02:10 PM 8/19/2008, Jeff Rogers wrote: > >A default configuration change was suggested which seems generally viewed > >as undesirable. > > My impression was that support was split about evenly, actually. I take > it that means you're against changing the default? I'm a bit surprised, > since you started out agreeing that it's a bug. Personally I can't > imagine any persuasive argument that a caching mechanism that can easily > confuse /usr/local/private/var/rootpass and > /var/tmp/verisign/certs/webcert.txt should be enabled by default in a web > server. > > For anyone thinking, well, you're the only one who's ever seen this bug, > I'd say no, we're just the first ones to discover this bug. It's quite > possible that other people have run into it without knowing it, since > AOLserver will just silently serve the wrong data. > > As for what I want, as I said, I was mainly bringing this up to shine a > light on the issue and see what other people's thoughts were. That's been > helpful in particular because I hadn't considered the security > implications, which are quite serious; I may raise this issue on security > forums as well so that people using ns_returnfile are aware of the danger > of silent data corruption and/or information leaks and can review their > code accordingly. > > - John > > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to <[EMAIL > PROTECTED]> with the > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: > field of your email blank. > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
