(replying to group) > On 3/3/2011 6:09 AM, Jonathan Swartz wrote: >> I want Mason 2 to have default file extensions that it facilitates and >> enforces (though they can be changed via parameters). Here's what I'm >> thinking of going with: >> >> .mc - top-level component >> >> A top-level component can serve as the page component in a request. >> >> .mi - internal component >> >> An internal component can only be accessed from other components. >> >> .mp - pure-perl component >> >> A pure-perl component contains only code; it is parsed as if its entire >> content >> was within a<%class> block. You do not need to (and are not allowed to) >> include >> Mason tags in this component, and it will not produce any output if called. > > > Make sure it can be EASILY overridden. From a security standpoint, it is not > a good idea to reveal the technology behind your systems. As an example, PCI > compliance scanning will fail if your web server reveals more than just its > name (Apache). > > All the sites I do with Mason use .html as an extension. While they are > obviously dynamic and not just plain HTML, it can be difficult to discern if > they are written in Mason, PHP, Cold Fusion, etc. When an attacker sees a > URL that ends with .aspx, he knows he can throw his microsoft attack tools at > it and not bother with the PHP ones (unless the admin is clever and the site > is really PHP and not ASP). Keeping attackers guessing makes their job > harder and your site safer.
To clarify, these are not URL extensions, they are file extensions. That is, by default, the URL /foo/bar would be handled by one of these components /foo/bar.mc /foo/bar.mp or a dhandler, etc. There's no way to know from the URL "/foo/bar" that you are using Mason versus something else. If you want URLs like /foo.html, you could either create files like /foo.html.mc, or you could set autoextend_request_path to false and create files like foo.html. So I don't see any security implications with Mason having a standard set of file extensions, but please correct me if I'm wrong. Thanks Jon ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
