We've talked about having an ExtensionsToServe numerous times. Perhaps this should be a configuration option, say "LimitFileTpesServed", and then ExtensionsToServe would list what may be served.
J > -----Original Message----- > From: Geoffrey Talvola [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 12, 2001 2:51 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [Webware-devel] security hole in WebKit > > > At 11:55 AM 12/12/01 -0800, Tavis Rudd wrote: > >Hi, > >in the cvs version of WebKit (and I assume all previous versions) > >it's possible to access backup versions of the .py servlet files: > >http://localhost/WK/Welcome.py~ for example. This could expose > >information about the site that should be kept private. Consider > >http://localhost/WK/.htpasswd. While the ExtensionsToIgnore setting > >works when the extension isn't specified in the URI, it provides no > >protection when it is. > > > >A solution is to make WebKit accept a list of files that it will > >never serve ('FilesToIgnore' or 'FilesToHide'). The setting could be > >a list of plain string filenames, or a list of patterns to match. > >Conversely, it should accept a list of files/patterns that it will > >serve from exclusively ('FilesToServe'). > > > >Also, I propose that 'ExtensionsToIgnore' be renamed > >'ExtensionsToHide', making its purpose clearer. 'ExtensionsToServe' > >should be implemented as well. > > Also, even if you're not editing your live site and leaving > backup files > lying around, you'll still have *.pyc files in there that can > be fetched > and then potentially decompiled. > > > -- > > - Geoff Talvola > [EMAIL PROTECTED] > > _______________________________________________ > Webware-devel mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/webware-devel > ---------------------------------------------------------------------------- This e-mail and any attachments may be confidential or legally privileged. If you received this message in error or are not the intended recipient, you should destroy the e-mail message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your cooperation. ---------------------------------------------------------------------------- _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
