You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/01/06 02:18:36 UTC

DO NOT REPLY [Bug 44173] New: - Deny access to backup ~ files by default

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44173>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44173

           Summary: Deny access to backup ~ files by default
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Runtime Config
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: samuel@slbdata.se


Many text editors (gedit, emacs) create backup files by default (like
"hello.shtml~"). Such files are probably not intended to be served, and serving
them can create various problems:

Because Apache might have been set up to detect MIME types and handlers based on
the file extension (which ends in ~ for backup files), it could make incorrect
decisions when such backup files are to be served. This can potentially be a
security issue, if a the file is a script that contains sensitive information
(like database passwords) in its source code.

Unless there is a good reason for serving backup~ files, I think the default
configuration should be changed to deny access them.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 44173] - Deny access to backup ~ files by default

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44173>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44173


wrowe@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From wrowe@apache.org  2008-01-05 17:28 -------
What you describe as picking up the type-by-extension would be true for such
thing as .html.tmp (where .html is decoded and .tmp is not recognized)...

but you are entirely incorrect about ~ which is a filename text character, so
unless you define someting for the file type .html~ (including the ~) it's not
associated with a file type in mime.types.

In any case, this is a frequent question, but an issue for you to decide how
to deal with; this has been discussed with respect to the default configuration
a number of times in the past and has always been rejected.  Search one of the
many archives of dev@httpd.apache.org for more information.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 44173] - Deny access to backup ~ files by default

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44173>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44173





------- Additional Comments From samuel@slbdata.se  2008-01-05 17:25 -------
Created an attachment (id=21349)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=21349&action=view)
Patch for trunk


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org