I've just done a little more work on this in the experimental code. Here are the config settings I've implemented and tested so far:
DirectoryFiles = ['index','Index','main','Main', 'default','Default',] ## these 2 only affect requests with no extension specified # same as before ExtensionsToHide = ['.pyc','.pyo','.py~', '.bak', '.tmpl', '.py_bak'] # only use if a list is given ExtensionsToServe = None # ExtensionsToServe = ['.py','.html'] # if multiple files are found for a URI without the ext specified # cascade through this list in sequence till one is found. # 404 if none match UseCascadingExtensions = True ExtensionCascadeOrder = ['.html', '.py', '.psp', '.tmpl'] # a list of glob patterns to filter out after all the rest of the # path matching is finished. 404 if matches FilesToHide = ['.*','*~', '*bak', '*.tmpl', ] # a list glob patterns to serve from exclusively. # if the file found for the URI doesn't match then 404 # done after FilesToHide FilesToServe = None # only used if a list is given #FilesToServe = ['*.py', '*.jpg','*.gif'] Regardless of whether the rest of the experimental code is used I feel this stuff should definitely make it in. What do you think about the names I've given the settings? ExtensionsToServe and FilesToServe are a bit ambiguous. I'm leaning towards FilePatternsToServe. Tavis On Wednesday 12 December 2001 11:57, Love, Jay wrote: > We've talked about having an ExtensionsToServe numerous times. > Perhaps this should be a configuration option, say > "LimitFileTpesServed", and then ExtensionsToServe would list what > may be served. > > J > > > -----Original Message----- > > From: Geoffrey Talvola [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, December 12, 2001 2:51 PM > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: Re: [Webware-devel] security hole in WebKit > > > > At 11:55 AM 12/12/01 -0800, Tavis Rudd wrote: > > >Hi, > > >in the cvs version of WebKit (and I assume all previous > > > versions) it's possible to access backup versions of the .py > > > servlet files: http://localhost/WK/Welcome.py~ for example. > > > This could expose information about the site that should be > > > kept private. Consider http://localhost/WK/.htpasswd. While > > > the ExtensionsToIgnore setting works when the extension isn't > > > specified in the URI, it provides no protection when it is. > > > > > >A solution is to make WebKit accept a list of files that it will > > >never serve ('FilesToIgnore' or 'FilesToHide'). The setting > > > could be a list of plain string filenames, or a list of > > > patterns to match. Conversely, it should accept a list of > > > files/patterns that it will serve from exclusively > > > ('FilesToServe'). > > > > > >Also, I propose that 'ExtensionsToIgnore' be renamed > > >'ExtensionsToHide', making its purpose clearer. > > > 'ExtensionsToServe' should be implemented as well. > > > > Also, even if you're not editing your live site and leaving > > backup files > > lying around, you'll still have *.pyc files in there that can > > be fetched > > and then potentially decompiled. > > > > > > -- > > > > - Geoff Talvola > > [EMAIL PROTECTED] > > > > _______________________________________________ > > Webware-devel mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/webware-devel > > ------------------------------------------------------------------- >--------- > > This e-mail and any attachments may be confidential or legally > privileged. If you received this message in error or are not the > intended recipient, you should destroy the e-mail message and any > attachments or copies, and you are prohibited from retaining, > distributing, disclosing or using any information contained herein. > Please inform us of the erroneous delivery by return e-mail. > > Thank you for your cooperation. > > ------------------------------------------------------------------- >--------- _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
