Menu

#13 -yesself - by default program files should be hidden

Next Release
open
Nickolas Grigoriadis
None
7
2007-11-23
2007-11-20
Christian Blackburn
No

Hi Gang,

Nickolas and I have standardized on the -no nomeclature. Keeping in form with that I'd also like to suggest a -yes when settings should be disabled by default. By default the web server shouldn't list any of the following in directory browsing:
miniwebsvr.exe
miniwebsvrcon.exe
miniwebsvr.log

Therefore I'm suggesting that those should be hidden files by default and that only with the -yesself would it should its own core files. I can't think of a better way of enabling hacking then allowing the user to download the webserver, decompile it or google the source code and then plan an attack.

To that end I'd also like to suggest that the program be distributed with two main folders:
\Src\...
\Bin\...

That way we won't be sharing the source code by default either, since the source code would then be in an entirely different folder.

Thanks,
Christian Blackburn

Discussion

  • Nickolas Grigoriadis

    Nickolas Grigoriadis - 2007-11-21

    Logged In: YES
    user_id=1689094
    Originator: NO

    Hmmm

    How about adding a \web\ folder, and this is the default, with some default page saying:
    "MiniWebSvr is working, if you see this page except what you expected --> link to docs"

    or something like that.

    And then we would have to provide the docs in HTML form too :)

     

  • Nickolas Grigoriadis

    Nickolas Grigoriadis - 2007-11-21

    Logged In: YES
    user_id=1689094
    Originator: NO

    I don't like the "yes" prefix, I mean it is implicit in a standard where a "no" prefix means false, therefore the [blank] prefix should mean yes?

    so instead of -yesself it should rather be something like -showall, which will try and show/download all entries in the directory tree.

    So by default the server hides itself and its own owned files, and any hidden and files in a hidden directory.
    Hmmm...

    I have different idea:

    something like "-show myself,hidden" where in that case you can add the no or more obvious "-" prefix:
    like "--show -myself,hidden".

    Since we are implementing this, you should be able to blacklist certain files as well.
    like --hide "/src" ,and it will essentially hide the whole directory and all contents inside it.

    Will the server have to make "hidden" files non-accessible as well?
    I'm in two minds about it. Sometimes you want to make a hidden file accessible if you point to it directly?

     

  • Nickolas Grigoriadis

    Nickolas Grigoriadis - 2007-11-23
    • milestone: --> Next Release
    • priority: 5 --> 7
     

  • Nickolas Grigoriadis

    Nickolas Grigoriadis - 2007-11-23
    • assigned_to: nobody --> grigi_
     

  • Christian Blackburn

    Christian Blackburn - 2007-11-23

    Logged In: YES
    user_id=561770
    Originator: YES

    Hi Gang,

    I like all the ideas mentioned. I think the help message that comes up if the user hasn't populated their "\web" folder yet should be restricted to the originating IP only. Everyone else should see an internal server error.

    Thanks,
    Christian

     

Log in to post a comment.