Hi,
in the cvs version of WebKit (and I assume all previous versions)
it's possible to access backup versions of the .py servlet files:
http://localhost/WK/Welcome.py~ for example. This could expose
information about the site that should be kept private. Consider
http://localhost/WK/.htpasswd. While the ExtensionsToIgnore setting
works when the extension isn't specified in the URI, it provides no
protection when it is.
A solution is to make WebKit accept a list of files that it will
never serve ('FilesToIgnore' or 'FilesToHide'). The setting could be
a list of plain string filenames, or a list of patterns to match.
Conversely, it should accept a list of files/patterns that it will
serve from exclusively ('FilesToServe').
Also, I propose that 'ExtensionsToIgnore' be renamed
'ExtensionsToHide', making its purpose clearer. 'ExtensionsToServe'
should be implemented as well.
Cheers,
Tavis
_______________________________________________
Webware-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/webware-devel
