At 11:55 AM 12/12/01 -0800, Tavis Rudd wrote:
>in the cvs version of WebKit (and I assume all previous versions)
>it's possible to access backup versions of the .py servlet files:
>http://localhost/WK/Welcome.py~ for example. This could expose
>information about the site that should be kept private. Consider
>http://localhost/WK/.htpasswd. While the ExtensionsToIgnore setting
>works when the extension isn't specified in the URI, it provides no
>protection when it is.
>A solution is to make WebKit accept a list of files that it will
>never serve ('FilesToIgnore' or 'FilesToHide'). The setting could be
>a list of plain string filenames, or a list of patterns to match.
>Conversely, it should accept a list of files/patterns that it will
>serve from exclusively ('FilesToServe').
>Also, I propose that 'ExtensionsToIgnore' be renamed
>'ExtensionsToHide', making its purpose clearer. 'ExtensionsToServe'
>should be implemented as well.
Also, even if you're not editing your live site and leaving backup files
lying around, you'll still have *.pyc files in there that can be fetched
and then potentially decompiled.
- Geoff Talvola