W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1995

Re: Potential HTTP Security Risk

From: BearHeart / Bill Weinman <BearHeart@bearnet.com>
Date: Sat, 30 Dec 1995 11:48:06 -0600
Message-Id: <199512301748.LAA12828@primus.paranoia.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
At 12:10 am 12/30/95 -0800, Roy T. Fielding wrote:
>> For the 'security considerations' portion of the 1.1 draft, with your
>> concurrence:
>     On such a system, an HTTP server must disallow any such construct
>     in the Request-URI if it would otherwise allow access to a resource
>     outside those intended to be accessible via the HTTP server.
>     Similarly, files intended for reference only internally to the server
>     (such as access control files, configuration files, and script code)
>     must be protected from inappropriate retrieval, since they might
>     contain sensitive information.

   I like the wording here "outside those intended to be accessible", as 
that is more general than what I had suggested. I would also like to 
see some suggestion that the sysadmin be able to specify what is and 
is not "intended to be accessible". 

   Unix, in particlar, is flexible enough that a sysadmin may have 
non-standard filenames for sensitive files. Some do this as an 
added security precaution. 

   This language was in the paragraph that I had suggested earlier:

 + A server should 
 + make a configuration option available to the system administrator to 
 + ensure that this protection is made sufficiently flexible for 
 + site-specific security considerations. 


+----------------------------------------------------------------------+
 * BearHeart / Bill Weinman 
 * BearHeart@bearnet.com *            * http://www.bearnet.com/ *
 * Author of The CGI Book:    * http://www.bearnet.com/cgibook/ *
 * "To enjoy life, take big bites. Moderation is for monks." 
                                                       --Lazarus Long
Received on Saturday, 30 December 1995 09:52:04 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:38 EDT