The reasons are the same as why until 5.1.18 comes out the node version didn't have a static file server and that the static file server with the server in 5.1.18 does the same thing:
1) engineers that make things have an obligation to make sure that the things that they make are safe to use 2) it is a webserver, not a local file. The paths aren't virtual paths or anything like that, they are urls. A url doesn't necessarily have any relation to the file system location of what it points to, but it does have meaning to the server. The server Bob uses a web server that can serve multiple wikis, when the server gets a request it has to determine what the url is supposed to point to, if you don't have a prefix for files than requests to the server can be ambiguous about if they are supposed to be a served file or a wiki and you get inconsistent behaviour. When you have inconsistent behaviour is almost always a security risk. To prevent Bob from exposing everything on your hard drive to anyone who wants it there are a number of safeguards. When serving a wiki the wiki has to be listed in the settings and the tiddlywiki.info file has to exist, because of how tiddlywiki is structured there is relatively little risk involved there. There is far more risk when serving arbitrary files off of your computer. If you are not very careful with it than there are ways to ask for a file located somewhere like ../../../../.ssh and then get all the private keys or passwords on a computer. And furthermore, Because Bob lets you have wikis hosted on paths like localhost:8080/Wiki1 and localhost:8080/Wiki1/Wiki2 it becomes ambiguous how to handle something like localhost:8080/Wiki1/foo.jpg, it could be a wiki called foo.jpg or it could be the file foo.jpg. Exploiting edge cases like that is one method of gaining unauthorised access to systems. Putting all the static file serving on localhost:8080/files and using a defined mimeMap to filter requests helps with those problems. -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/6e3d893d-4e0b-47cb-9ab5-754680e9a7b4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
