You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/01/06 02:18:36 UTC
DO NOT REPLY [Bug 44173] New: - Deny access to backup ~ files by default
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44173>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44173
Summary: Deny access to backup ~ files by default
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Runtime Config
AssignedTo: bugs@httpd.apache.org
ReportedBy: samuel@slbdata.se
Many text editors (gedit, emacs) create backup files by default (like
"hello.shtml~"). Such files are probably not intended to be served, and serving
them can create various problems:
Because Apache might have been set up to detect MIME types and handlers based on
the file extension (which ends in ~ for backup files), it could make incorrect
decisions when such backup files are to be served. This can potentially be a
security issue, if a the file is a script that contains sensitive information
(like database passwords) in its source code.
Unless there is a good reason for serving backup~ files, I think the default
configuration should be changed to deny access them.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 44173] - Deny access to backup ~ files by default
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44173>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44173
wrowe@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From wrowe@apache.org 2008-01-05 17:28 -------
What you describe as picking up the type-by-extension would be true for such
thing as .html.tmp (where .html is decoded and .tmp is not recognized)...
but you are entirely incorrect about ~ which is a filename text character, so
unless you define someting for the file type .html~ (including the ~) it's not
associated with a file type in mime.types.
In any case, this is a frequent question, but an issue for you to decide how
to deal with; this has been discussed with respect to the default configuration
a number of times in the past and has always been rejected. Search one of the
many archives of dev@httpd.apache.org for more information.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 44173] - Deny access to backup ~ files by default
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44173>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44173
------- Additional Comments From samuel@slbdata.se 2008-01-05 17:25 -------
Created an attachment (id=21349)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=21349&action=view)
Patch for trunk
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org