On Friday 21 December 2001 12:24, Edmund Lian wrote:
> I notice that the User's Guide says that listing an extension in
> ExtensionsToIgnore does not prevent it from being served if the
> file is named explicitly in a URL. Wouldn't it be safer to never
> serve files if their extensions are in ExtensionsToIgnore?
> How do the FilesToServe and FilesToHide settings interact with
> ExtensionsToIgnore? For example, if I list an extension in
> ExtensionsToIgnore, does this mean that I need to also list it in
> FilesToHide to get the effect in the previous para?
> Actually, it appears that ExtensionsToServe rather overlaps with
> FilesToServe and FilesToIgnore. Is there some subtle difference
> between these settings?
There are several concepts to understand here:
1) WebKit's mapping of a request URI to an actual file is a
multistage process. It can bail out at several stages if no file is
2) WebKit can guess the appropriate extension (.py, .psp, etc.) for a
servlet when a URI that doesn't specify it. ExtensionsToServe and
ExtensionsToIgore (which should be renamed to ExtensionsToHide) only
affect the 'guessing' of extensions. They do not affect whether
access is permitted and are not used at all if the extension is
given. ExtensionsToServe trumps ExtensionsToIgnore'
3) After WebKit has found the file being requested it does a final
check to make sure that access to the file is permitted. This is a
global check that is NOT related to any other
authentication/authorization mechanism. It is analogous to the
protection of .htaccess and .htpasswd files in Apache. FilesToServe
and FilesToHide control this check. FilesToServe trumps FilesToHide.
Does that help?