At 11:55 AM 12/12/01 -0800, Tavis Rudd wrote: >Hi, >in the cvs version of WebKit (and I assume all previous versions) >it's possible to access backup versions of the .py servlet files: >http://localhost/WK/Welcome.py~ for example. This could expose >information about the site that should be kept private. Consider >http://localhost/WK/.htpasswd. While the ExtensionsToIgnore setting >works when the extension isn't specified in the URI, it provides no >protection when it is. > >A solution is to make WebKit accept a list of files that it will >never serve ('FilesToIgnore' or 'FilesToHide'). The setting could be >a list of plain string filenames, or a list of patterns to match. >Conversely, it should accept a list of files/patterns that it will >serve from exclusively ('FilesToServe'). > >Also, I propose that 'ExtensionsToIgnore' be renamed >'ExtensionsToHide', making its purpose clearer. 'ExtensionsToServe' >should be implemented as well.
Also, even if you're not editing your live site and leaving backup files lying around, you'll still have *.pyc files in there that can be fetched and then potentially decompiled. -- - Geoff Talvola [EMAIL PROTECTED] _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
