On Friday 21 December 2001 12:24, Edmund Lian wrote: > I notice that the User's Guide says that listing an extension in > ExtensionsToIgnore does not prevent it from being served if the > file is named explicitly in a URL. Wouldn't it be safer to never > serve files if their extensions are in ExtensionsToIgnore? > > How do the FilesToServe and FilesToHide settings interact with > ExtensionsToIgnore? For example, if I list an extension in > ExtensionsToIgnore, does this mean that I need to also list it in > FilesToHide to get the effect in the previous para? > > Actually, it appears that ExtensionsToServe rather overlaps with > FilesToServe and FilesToIgnore. Is there some subtle difference > between these settings?
There are several concepts to understand here: 1) WebKit's mapping of a request URI to an actual file is a multistage process. It can bail out at several stages if no file is found. 2) WebKit can guess the appropriate extension (.py, .psp, etc.) for a servlet when a URI that doesn't specify it. ExtensionsToServe and ExtensionsToIgore (which should be renamed to ExtensionsToHide) only affect the 'guessing' of extensions. They do not affect whether access is permitted and are not used at all if the extension is given. ExtensionsToServe trumps ExtensionsToIgnore' 3) After WebKit has found the file being requested it does a final check to make sure that access to the file is permitted. This is a global check that is NOT related to any other authentication/authorization mechanism. It is analogous to the protection of .htaccess and .htpasswd files in Apache. FilesToServe and FilesToHide control this check. FilesToServe trumps FilesToHide. Does that help? Tavis _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
