- From: BearHeart / Bill Weinman <BearHeart@bearnet.com>
- Date: Sat, 30 Dec 1995 11:36:08 -0600
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
At 10:07 am 12/28/95 -0600, John Franks wrote:
>all for warnings it the HTTP specification, but it is not very
>realistic to think that any collection of warnings will really remedy
>the situation. You simply can't warn against all the possible risks
>associated with this design.
That's why I suggested language that would suggest that the
server have a configuration option for the sysadmin to specify
wild-cards that would protect against classes of files:
>> + which is used for access-control files, or a filename pattern
>> + commonly used for system files (e.g. "/." for Unix systems, or ".PWL"
>> + for Microsoft Windows systems), should be disallowed. A server should
That way, I could have entries like this in my access.conf
file:
<Directory /web/doctree>
<Limit GET>
order allow,deny
allow from all
deny files "..*"
deny files ".*"
deny files "*.cgi"
deny files "nph-*"
</Limit>
</Directory>
Currently, I have a server that I'm planning to put on the net.
I am the only user on the system so I didn't see any particular
risk in having local ACFs in the filesystem until I realized that
they could be retrieved by a GET. If I could restrict them as
I've shown here, I would be able to use them.
+----------------------------------------------------------------------+
* BearHeart / Bill Weinman
* BearHeart@bearnet.com * * http://www.bearnet.com/ *
* Author of The CGI Book: * http://www.bearnet.com/cgibook/ *
* "To enjoy life, take big bites. Moderation is for monks."
--Lazarus Long
Received on Saturday, 30 December 1995 09:39:33 UTC