Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cherokee: dev

Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken

  

 
First page Previous page 1 2 Next page Last page  View All Cherokee dev RSS feed   Index | Next | Previous | View Threaded


codesite-noreply at google

Sep 10, 2009, 1:17 AM

Post #1 of 33 (2050 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken
Status: New
Owner: ----

New issue 571 by binb...@b2host.de: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

It would be nice to have a feature so cherokee doesn't allow downloading of
several configurable filetypes. Let's assume a php script for example fails
or there is an error in the server configuration. The whole source code can
be downloaded from the site now which is actually bad.
With the new feature people shouldn't be able to download for example a
.php file and have the PHP-sourcecode if there is something really broken!!


--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 10, 2009, 4:10 AM

Post #2 of 33 (1987 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #1 on issue 571 by alobbs: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

I don't get it. If PHP failed, the server wouldn't allow to download the
source anyway.

Could you please put an example?

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 10, 2009, 4:25 AM

Post #3 of 33 (1983 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #2 on issue 571 by ste...@konink.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

if php is not configured it will list&send

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 10, 2009, 4:29 AM

Post #4 of 33 (1987 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #3 on issue 571 by binb...@b2host.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

A description for Apache is here for example:
http://tekrat.com/apache/ap_source_defense/

Dunno if this is possible with cherokee though.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 10, 2009, 5:46 AM

Post #5 of 33 (1983 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #4 on issue 571 by alobbs: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

I must admit I'm kind of puzzled here. :-m

Do you guys want to hard-code a few magic rules in the server? That's plain
wrong; no
doubt about it.

We could add a wizard to auto-configure the server to forbid access to
source files.
However, it'd require proximately the same effort to run that wizard than
the PHP
one, so can barely see the point.

The server cannot replace an administrator, nor it can figure whether each
single
configuration property makes sense in a real production environment.

Allow me to put an example: The server could also be configured to store
the log
files in /dev/sda, right? It'd screw the whole disk drive, but even though,
I don't
think the server ought the check that kind of things.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 10, 2009, 6:09 AM

Post #6 of 33 (1977 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #5 on issue 571 by ste...@konink.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

See it as a (v)server wide extension php 403.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 10, 2009, 6:20 AM

Post #7 of 33 (1970 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #6 on issue 571 by binb...@b2host.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

Well, that patch is from facebook.com and they are using it exactly like
that.
I would not hardcode it.
Just make it configurable in the web iface and set some extensions by
default so we
have a bit more fundamental security.
This change could be enabled/disabled by configure command as well, so
someone can
enable those checks explicit.
--enable-extended-security-checks or something I dunno.

Having a disk lost because there is /dev/sda in cherokee configured, sorry
that's a
user's own fault and a missing basic knowledge of unix!!

Having someone reading your source code because something is badly broken
is a very
high risk and complete other thing. Sure you cannot simply replace an
administrator,
but you can protect from some things easily. For facebook it was for
example a broken
PHP extension and their source codes were downloaded.
I personally think that this feature could really save someones job when
something
reallly fails. :-)

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 13, 2009, 2:00 PM

Post #8 of 33 (1972 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #7 on issue 571 by binb...@b2host.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

Well no answer so far, ok.
Would you mind providing a patch so I could hardcode some extensions?

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 13, 2009, 3:29 PM

Post #9 of 33 (1961 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #8 on issue 571 by ste...@konink.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

Didn't test, but might do your thing.

Index: handler_file.c
===================================================================
--- handler_file.c (revision 3584)
+++ handler_file.c (working copy)
@@ -416,6 +416,14 @@
ext = (local_file->buf + local_file->len) - 1;
while (ext > local_file->buf) {
if (*ext == '.') {
+ if (strncmp(ext+1, "php", 3) == 0 ||
+ strncmp(ext+1, "cgi", 3) == 0 ||
+ strncmp(ext+1, "sh", 2) == 0 ||
+ strncmp(ext+1, "py", 2) == 0
+ ) {
+ conn->error_code =
http_access_denied;
+ goto out;
+ }
ret = cherokee_mime_get_by_suffix
(srv->mime, ext+1,
&fhdl->mime);
if (ret == ret_ok)
break;


--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 13, 2009, 5:13 PM

Post #10 of 33 (1962 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #9 on issue 571 by skarcha: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

I agree with Álvaro... As an admin, you must configure your server in the
best way to
avoid this sort of problems, or apply your own patches.

Hard-coding doesn't make sense to me. On the other hand, there are other
hard-codings
[1]... It's not the same case though, IMHO.

[1]
http://svn.cherokee-project.com/browser/cherokee/trunk/cherokee/handler_dirlist.c#L366

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 13, 2009, 5:24 PM

Post #11 of 33 (1970 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Updates:
Status: Accepted
Labels: Type-Enhancement Priority-Low OpSys-All Component-Logic Usability

Comment #10 on issue 571 by ste...@konink.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

What I think we should allow some hardcoded (./configure based NEVER
server) file
extentions. So something like: ./configure
--handler-file-noserve=php,py,cgi that
would automatically generate a pattern that is inserted in the fileplugin.

I actually could /justify/ this.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 13, 2009, 11:36 PM

Post #12 of 33 (1958 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #11 on issue 571 by alobbs: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

@binbash:

I just read an IRC discussion between Skinkie and binB4ASH about this topic
(13 Sept ~23pm).. and I'd like to
make something perfectly clear before we continue discussing any further:

Generating an argument *will NOT push this feature forward*. In fact,
giving off about the work we all are doing
will not help to get it implemented either. It's plain and simple: the more
you help, the higher priority your
requests will get. The more you complain with a childish attitude, to less
attention your reports will receive.

I'll put you just a simple example of how it's worked so far: It was Stefan
who implemented and sent the 8 lines
patch for the feature you requested. You know, it was way much easier to
write the patch than to generate that
argument on the IRC.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Sep 26, 2009, 8:15 PM

Post #13 of 33 (1888 views)
Permalink
Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Updates:
Status: Started
Owner: ste...@konink.de

Comment #12 on issue 571 by ste...@konink.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

text="php,perl,bla"
text=`echo $text | tr "," " "`
set -- junk $text
shift
echo -n "if ("
for word; do
echo -n "strncmp(ext+1, \"$word\", size($word)) == 0 || "
done | sed "s/ || $/) { conn->error_code = http_access_denied; goto out;
}/g"

Maybe something like that in the configure.in; if that works we can replace
with a
#define on the right place in the handler_file. I could use some help in
the configure.in

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Jan 22, 2010, 6:17 AM

Post #14 of 33 (1505 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #13 on issue 571 by dziastinux: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

I see the simplier soliution for this. If extension has a handler (yes, any
handler)
and that handler fails, then 503 HTTP error should be returned and no
further rule
cheching.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Jan 22, 2010, 6:24 AM

Post #15 of 33 (1507 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #14 on issue 571 by dziastinux: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

For those who want to resolve this critical security issue I recommend to
create the
extension (executable php, py, cgi, sh, ...) handler of type "HTTP error"
just before
default directory listing.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Jan 22, 2010, 6:31 AM

Post #16 of 33 (1511 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #15 on issue 571 by binb...@b2host.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

Ahh right that could be an easy out of the box with what we have
solution ;-)

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Jan 22, 2010, 6:43 AM

Post #17 of 33 (1512 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Updates:
Status: Verified

Comment #16 on issue 571 by ste...@konink.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

User is happy with the current solution. So we can close this bug!

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Jan 27, 2010, 2:29 AM

Post #18 of 33 (1478 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #17 on issue 571 by dziastinux: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

I know I suggested a work-around but this is still a serious issue.
On [any] handler failure 503 HTTP error (Service unavailable) should be
returned and
further rule processing should not be done.
In case you refuse to admit the need of the fix, than I will have to ask
you to
include my suggested rule by default (in fresh installation and also in
documentation) and that would be public admission that Cherokee has a
serious
security issue.

P.s. I have no experience in C/C++ so I can't write patch myself (believe
me, it
would be a pleasure).

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Jan 27, 2010, 3:11 AM

Post #19 of 33 (1484 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #18 on issue 571 by alobbs: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

I have to admit I'm kind of lost at this point. Either I'm missing
something important
(the whole point, actually) or this bug report does not still make any
sense.

Let's see. Cherokee does whatever you tell it to do. Nothing more, nothing
less. If
you command it to send files by default, that's what it will do. It doesn't
know what
it's sending, just because it isn't of its business.

If you don't what it to send some files, just "tell" it so. That will be
enough. (It isn't
psychic, you know).

For instance: if for some reason, your server isn't configured to execute
PHP, but it
has .php file within the document root[1] and you don't want people to
download
them, it'd enough if you added a "Extension PHP, Handler: Custom Error"
rule at the
top of your Behavior rule list.

1.- You'd better take those outta there BTW.

So, please, allow me to clarify things a little bit:

1.- Cherokee will never be shipped with hardcoded rules. That's plain
wrong, and as
a matter of fact, that is not gonna happen.

2.- When a rule is matched, it's applied. The server does not continue the
rule
evaluation if it fails. The server will to whatever you configure it to do.

@dziastinux, if you still think that there's a bug.. please, post your
configuration file
and I'll check it for you.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


codesite-noreply at google

Jan 27, 2010, 3:53 AM

Post #20 of 33 (1476 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #19 on issue 571 by binb...@b2host.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

Again, the error handler rule is ok. And I think it's a good solution with
which I
can live. Didn't think first about it.
@dziastinux other Servers like Apache Webserver don't ship with those rules
as well.
It's ok to have it like it is now.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


cherokee at googlecode

Dec 23, 2010, 2:46 PM

Post #21 of 33 (606 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #20 on issue 571 by olafvdspek: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

Lighttpd (Debian) ships with a rule to disallow this. The fact that Apache
doesn't isn't really relevant.

static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


cherokee at googlecode

Dec 23, 2010, 3:02 PM

Post #22 of 33 (609 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #21 on issue 571 by alobbs: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

That's perfectly fine. You can do something similar with Cherokee:

* ..
* ..
* Match = Extensions: php, pl, fcgi - Handler = Custom error: xxx
* Match = Default - Handler: List & Send

Remember that the order of the behavior rules matters.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


cherokee at googlecode

Dec 23, 2010, 3:10 PM

Post #23 of 33 (609 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #22 on issue 571 by ste...@konink.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

So Apache doesn't get configured to be 'safe' on Debian. But Lighttpd
does... so what is actually the point? That we should have a n00b
proof 'secure' configuration, while the next bug report will be:

"I get 403 files on my PHP scripts why?"

And then you also wonder, why not serve any executable files
(hence: .py, .sh etc.)

And you come back to: why are those documents in your root folder. This
just shows that people are not configuring their systems, before they start
them.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


cherokee at googlecode

Dec 23, 2010, 3:14 PM

Post #24 of 33 (611 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #23 on issue 571 by olafvdspek: RFE: Deny download of configurable
filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

> You can do something similar with Cherokee:

I know. I'm asking for this to be done by default.

I'm not sure what Apache does on Debian.

> And you come back to: why are those documents in your root folder.

It's about being safe by default. I take it that's not a goal of this
project?

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev


cherokee at googlecode

Dec 23, 2010, 3:18 PM

Post #25 of 33 (607 views)
Permalink
Re: Issue 571 in cherokee: RFE: Deny download of configurable filetypes when cgi/fcgi or server config is broken [In reply to]
Comment #24 on issue 571 by ste...@konink.de: RFE: Deny download of
configurable filetypes when cgi/fcgi or server config is broken
http://code.google.com/p/cherokee/issues/detail?id=571

I presume one of the goals of this project is to have a fast, lean and mean
server, with a very nice administration interface. If the only feature you
want to use is: serve files, you basically miss out on all the fun. Because
the next question obviously is: why don't you configure PHP by default. By
default Cherokee is a static webserver. It does everything a static
webserver should do.

_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev

First page Previous page 1 2 Next page Last page  View All Cherokee dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.