Menu
▾
▴
Re: [naviserver-devel] Source of non executable CGI scripts are shown
|
From: Gustaf N. <ne...@wu...> - 2017-10-19 12:37:34
|
Am 17.10.17 um 1:15 PM schrieb Roderick: > If a cgi script is readable, but not executable, the server > sends its source as text. > > Is this not a security problem? NaviServer allows to serve cgi-programs AND included content (images, css, ...) from a cgi-bin directory. In order to identify in a cgi-directory whether a a file should be treated as a file or as a cgi-script, it uses the executable flag. The source code says Evidently people are storing images and such in their cgi bin directory and they expect us to return these files directly. This is different to other servers, which do not allow this. ... and apparently, this is for you unexpected behavior - which can lead to revealing unwanted information, when not carefully set up. One can certainly change this, but that would break existing applications relying on that feature. We can consider adding an config option to make this behavior configurable, where by default serving static content this way is disallowed. I would still prefer to require the executable flag to be set. More opinions about this ? all the best -gn |
