Am 17.10.17 um 1:15 PM schrieb Roderick:
If a cgi script is readable, but not executable, the server
sends its source as text.
Is this not a security problem?
NaviServer allows to serve cgi-programs AND included content (images,
css, ...) from a cgi-bin
directory. In order to identify in a cgi-directory whether a a file
should be treated as a file or as
a cgi-script, it uses the executable flag. The source code says
Evidently people are storing images and such in
their cgi bin directory and they expect us to
return these files directly.
This is different to other servers, which do not allow this. ... and
apparently, this is
for you unexpected behavior - which can lead to revealing unwanted
information,
when not carefully set up.
One can certainly change this, but that would break existing
applications relying on that feature.
We can consider adding an config option to make this behavior
configurable, where by default
serving static content this way is disallowed. I would still prefer to
require the executable flag
to be set.
More opinions about this ?
all the best
-gn
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
