Home / Browse / yaws / Mail / Archive

yaws

Email Archive: erlyaws-list (read-only)

Re: [Erlyaws-list] CGIs and more

From: Carsten Schultz <carsten@gn...> - 2003-07-23 21:05

On Tue, Jul 22, 2003 at 08:44:24AM -0500, Hal Snyder wrote:
> Carsten Schultz <carsten@...> writes:
> > If a file of a type that is not allowed is requested, a 404 is
> > returned. The alternative would be to treat it as a regular file.
> > Returning 404 means that adding new script types can break existing
> > servers. Treating as regular would mean that a misconfigured server
> > could accidentally return the source of a script or an executable.
> > What do you prefer?
>=20
> Just a thought - how about 403 - Forbidden?

Good point.  Done.

Thanks,

Carsten

--=20
Carsten Schultz (2:40, 33:47), FB Mathematik, FU Berlin
http://carsten.fu-mathe-team.de/
PGP/GPG key on the pgp.net key servers,=20
fingerprint on my home page.

Thread View

Thread	Author	Date
[Erlyaws-list] CGIs and more	Carsten Schultz <cschultz@in...>

Re: [Erlyaws-list] CGIs and more

From: Carsten Schultz <carsten@gn...> - 2003-07-22 10:07

Attachments: Message as HTML

Hi,

is there anybody out there?  :-)

Anyway, in cvs you can now configure the allowed script types.  In the
server configuration part you could add

    allowed_scripts =3D yaws php cgi

to allow all currently implemented script types.  Or you could write

    allowed_scripts =3D

to disallow even yaws scripts for a virtual server with untrusted
files.  Default is `allowed_scripts =3D yaws'.

If a file of a type that is not allowed is requested, a 404 is
returned.  The alternative would be to treat it as a regular file.
Returning 404 means that adding new script types can break existing
servers.  Treating as regular would mean that a misconfigured server
could accidentally return the source of a script or an executable.
What do you prefer?

Of course, all of this is a bit ad hoc.  A more modular design of Yaws
could be nice, but might also add more overhead.  I have tried to keep
everything simple and fast.

Greetings,

Carsten

--=20
Carsten Schultz (2:40, 33:47), FB Mathematik, FU Berlin
http://carsten.fu-mathe-team.de/
PGP/GPG key on the pgp.net key servers,=20
fingerprint on my home page.

Re: [Erlyaws-list] CGIs and more

From: Hal Snyder <hal@va...> - 2003-07-22 13:44

Carsten Schultz <carsten@...> writes:

> Anyway, in cvs you can now configure the allowed script types.  In the
> server configuration part you could add
>
>     allowed_scripts = yaws php cgi
>
> to allow all currently implemented script types.  Or you could write
>
>     allowed_scripts =
>
> to disallow even yaws scripts for a virtual server with untrusted
> files.  Default is `allowed_scripts = yaws'.
>
> If a file of a type that is not allowed is requested, a 404 is
> returned. The alternative would be to treat it as a regular file.
> Returning 404 means that adding new script types can break existing
> servers. Treating as regular would mean that a misconfigured server
> could accidentally return the source of a script or an executable.
> What do you prefer?

Just a thought - how about 403 - Forbidden?

Thanks.

Re: [Erlyaws-list] CGIs and more

From: Carsten Schultz <carsten@gn...> - 2003-07-23 21:05

Attachments: Message as HTML

On Tue, Jul 22, 2003 at 08:44:24AM -0500, Hal Snyder wrote:
> Carsten Schultz <carsten@...> writes:
> > If a file of a type that is not allowed is requested, a 404 is
> > returned. The alternative would be to treat it as a regular file.
> > Returning 404 means that adding new script types can break existing
> > servers. Treating as regular would mean that a misconfigured server
> > could accidentally return the source of a script or an executable.
> > What do you prefer?
>=20
> Just a thought - how about 403 - Forbidden?

Good point.  Done.

Thanks,

Carsten

--=20
Carsten Schultz (2:40, 33:47), FB Mathematik, FU Berlin
http://carsten.fu-mathe-team.de/
PGP/GPG key on the pgp.net key servers,=20
fingerprint on my home page.