On Fri, Jan 8, 2010 at 7:23 AM, riccardo <[email protected]> wrote: > On Thu, Jan 07, 2010 at 07:56:52PM -0800, jacmgr wrote: > >> . I don't have any opinion on .txt; any >> extension you choose would be fine and I can set windows to open that >> extension in my text editor. I guess I would prefer an extension of >> some type just becuase I am used to using them. > > I am strongly opposed to a spurious extension. But if users on the dark > side need a file extension, surely it would be trivial to make it a > configuration item? In any case, from what I have seen, modern doze > installations hide the extensions by default, and that behaviour could also > be copied. But I still think it would be wrong to impose an extension.
I'm not keen on adding the .txt extension, for aesthetic reasons, and we could make it configurable easy enough (which is a good idea). Yet the use of an extension does make it easier to open files, and/or for me, to do extended find and replaces using my particular text editor (only scans associated file types). But the big reason for this is security. Suppose you have a test group where members can create and edit pages. Someone creates a page called test.php and copies some php code in. This is not a problem for BoltWire, but suppose someone tried to call that page directly? http://www.site.com/field/pages/test.php? Yes, the .htaccess is supposed to block that, but what if it gets corrupted somehow? You have a pretty big security vulnerability. Adding an invisible .txt extension might keep this from happening. We are safe currently because < is escaped. If we remove that, we are still theoretically safe (because of the .htaccess). But practically, the key to security is multiple layers. There are always unforeseen holes. The trick is to make sure that when the bad guys penetrate one layers there's always another blocking them. This is why the character encoding and page name extension are connected. Also, I should note this would be completely invisible to the user. Everything would appear exactly it is now--unless you were looking in the page folder directly. We are just talking about a slight change to the under-the-hood way pages are saved/retrieved. Making this a configurable option, turned off by default is a good idea actually--as it solves the problem of downward compatibility a bit. Though a helper script that renames all the pages is easy enough to do. I'm still in discussion mode on this point. Thanks for the feedback. Cheers, Dan
-- You received this message because you are subscribed to the Google Groups "BoltWire" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/boltwire?hl=en.
