(adapted from Tavis's message to webware-devel)
In the cvs version of WebKit (and I assume all
previous versions) it's possible to access backup
versions of the .py servlet files:
http://localhost/WK/Welcome.py~ for example. This
could expose information about the site that should be
kept private. Consider http://localhost/WK/.htpasswd.
While the ExtensionsToIgnore setting works when the
extension isn't specified in the URI, it provides no
protection when it is.
A solution is to make WebKit accept a list of files
that it will never serve ('FilesToIgnore'
or 'FilesToHide'). The setting could be a list of
plain string filenames, or a list of patterns to
match. Conversely, it should accept a list of
files/patterns that it will serve from exclusively
Also, I propose that 'ExtensionsToIgnore' be renamed
'ExtensionsToHide', making its purpose
clearer. 'ExtensionsToServe' should be implemented as
Also, even if you're not editing your live site and
leaving backup files lying around, you'll still have
*.pyc files in there that can be fetched and then
Log in to post a comment.