Dave Cridland wrote: > On Tue Oct 28 12:04:06 2008, Dirk Meyer wrote: >> The whole fs is a very bad idea, but I do not see a reason against >> exposing /home/dmeyer/shared to the rest of the world. Think of a >> MUC. I >> have a file with some stuff and just post an URI to my internal web >> server into the room and everyone can download it. > > True, but then you'd have all the requisite security considerations > of running a webserver. > > As Remko points out, webservers have a long and fruitful history of > excting bugs like malformed UTF-8, path processing, and countless > other joyous things.
I agree, there are some things you must take care of. Stuff like getting /foo/../../../ should not be possible. And if you add cgi-like stuff you may get into a lot of trouble. Maybe you can just forward everything to a real web server on your machine. > I'm not sure you'd want this availale in every client, nor available > to all-comers. Maybe not, but I would like to see it in a bot. :) Dirk -- "I don't suffer from insanity. I enjoy every minute of it."
