#9 WebKit security flaw with extensions

closed-fixed
nobody
None
7
2002-03-07
2001-12-12
No

(adapted from Tavis's message to webware-devel)

In the cvs version of WebKit (and I assume all
previous versions) it's possible to access backup
versions of the .py servlet files:
http://localhost/WK/Welcome.py~ for example. This
could expose information about the site that should be
kept private. Consider http://localhost/WK/.htpasswd.
While the ExtensionsToIgnore setting works when the
extension isn't specified in the URI, it provides no
protection when it is.

A solution is to make WebKit accept a list of files
that it will never serve ('FilesToIgnore'
or 'FilesToHide'). The setting could be a list of
plain string filenames, or a list of patterns to
match. Conversely, it should accept a list of
files/patterns that it will serve from exclusively
('FilesToServe').

Also, I propose that 'ExtensionsToIgnore' be renamed
'ExtensionsToHide', making its purpose
clearer. 'ExtensionsToServe' should be implemented as
well.

Also, even if you're not editing your live site and
leaving backup files lying around, you'll still have
*.pyc files in there that can be fetched and then
potentially decompiled.

Discussion

  • Geoff Talvola

    Geoff Talvola - 2002-03-07

    Logged In: YES
    user_id=88162

    Fixed in the upcoming 0.7 release.

     
  • Geoff Talvola

    Geoff Talvola - 2002-03-07
    • status: open --> closed-fixed
     

Log in to post a comment.