Smalltalk Frameworks & Tools AIDA/Web

WebStaticServer serves everything

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Herbert König
Reply | Threaded
Open this post in threaded view
|

WebStaticServer serves everything

Herbert König
Hi,

now that my WebStaticServer is working I noticed that it serves just
everything from the folder the image is in.

On one hand this is nice as it saves a lot of work, on the other hand,
if I know the name of my Smalltalk image WebStaticServer will happily
offer it for download if I enter the correct URL.

Is there a canonical way to deal with this or do I have to modify
WebStaticServe>>resourceFor: to keep my private files private?
Easiest would be to just prepend a subfolder (like /static) to the URL
and keep my static files in there.

Any opinion or guidance welcome.

Cheers

Herbert
_______________________________________________
Aida mailing list
[hidden email]
http://lists.aidaweb.si/mailman/listinfo/aida
Herbert König
Reply | Threaded
Open this post in threaded view
|

Re: WebStaticServer serves everything

Herbert König
Hi,



HK> Is there a canonical way to deal with this or do I have to modify
WebStaticServe>>>resourceFor: to keep my private files private?
HK> Easiest would be to just prepend a subfolder (like /static) to the URL
HK> and keep my static files in there.

to reply to my own question: just use AidaSite>>homeDirectory: to a
proper directory.



Cheers,

Herbert                            mailto:[hidden email]

_______________________________________________
Aida mailing list
[hidden email]
http://lists.aidaweb.si/mailman/listinfo/aida
Janko Mivšek
Reply | Threaded
Open this post in threaded view
|

Re: WebStaticServer serves everything

Janko Mivšek
Hi Herbert,

What if we change the default home directory for static serving to
./static instead? If this directory doesn't exist, nothing will be
served. This will prevent browsing a home directory with image and
.changes files, among others, which is certainly a security risk.

Best regards
Janko

Dne 15. 10. 2012 16:14, piše Herbert König:

> Hi,
>
>
>
> HK> Is there a canonical way to deal with this or do I have to modify
> WebStaticServe>>>resourceFor: to keep my private files private?
> HK> Easiest would be to just prepend a subfolder (like /static) to the URL
> HK> and keep my static files in there.
>
> to reply to my own question: just use AidaSite>>homeDirectory: to a
> proper directory.
>
>
>
> Cheers,
>
> Herbert                            mailto:[hidden email]
>
> _______________________________________________
> Aida mailing list
> [hidden email]
> http://lists.aidaweb.si/mailman/listinfo/aida
>

--
Janko Mivšek
Svetovalec za informatiko
Eranova d.o.o.
Ljubljana, Slovenija
www.eranova.si
tel:  01 514 22 55
faks: 01 514 22 56
gsm: 031 674 565
_______________________________________________
Aida mailing list
[hidden email]
http://lists.aidaweb.si/mailman/listinfo/aida
Herbert König
Reply | Threaded
Open this post in threaded view
|

Re: WebStaticServer serves everything

Herbert König
Hi Janko,

seems useful to me because the images directory contains a lot of
sensitive data. At least in Squeak you can wget squeak.ini and know the
image name.

Cheers,

Herbert

Am 15.10.2012 16:58, schrieb Janko Mivšek:

> Hi Herbert,
>
> What if we change the default home directory for static serving to
> ./static instead? If this directory doesn't exist, nothing will be
> served. This will prevent browsing a home directory with image and
> .changes files, among others, which is certainly a security risk.
>
> Best regards
> Janko
>
>

_______________________________________________
Aida mailing list
[hidden email]
http://lists.aidaweb.si/mailman/listinfo/aida
Janko Mivšek
Reply | Threaded
Open this post in threaded view
|

Re: WebStaticServer serves everything

Janko Mivšek
Done! Thanks for exposing that security problem Herbert.

Best regards
Janko

Dne 15. 10. 2012 17:09, piše Herbert König:

> Hi Janko,
>
> seems useful to me because the images directory contains a lot of
> sensitive data. At least in Squeak you can wget squeak.ini and know the
> image name.
>
> Cheers,
>
> Herbert
>
> Am 15.10.2012 16:58, schrieb Janko Mivšek:
>> Hi Herbert,
>>
>> What if we change the default home directory for static serving to
>> ./static instead? If this directory doesn't exist, nothing will be
>> served. This will prevent browsing a home directory with image and
>> .changes files, among others, which is certainly a security risk.
>>
>> Best regards
>> Janko
>>
>>
>
> _______________________________________________
> Aida mailing list
> [hidden email]
> http://lists.aidaweb.si/mailman/listinfo/aida

--
Janko Mivšek
Svetovalec za informatiko
Eranova d.o.o.
Ljubljana, Slovenija
www.eranova.si
tel:  01 514 22 55
faks: 01 514 22 56
gsm: 031 674 565
_______________________________________________
Aida mailing list
[hidden email]
http://lists.aidaweb.si/mailman/listinfo/aida
Free forum by Nabble Edit this page