Serve .txt files with static-cat

[andersk]

The original justification for not serving all .txt files to the web was that “some app might put passwords into a config.txt file”. That was stupid. All other web servers serve .txt files by default, so no app could possibly have been relying on our quirk that they don’t get served.

The argument remains that some scripts user might have come to rely on this bug after the fact in their custom code. So let’s send an announcement mail deprecating it, and fix it a few weeks later.

(See also previous discussion in #92.)

[geofft]

The argument remains that some scripts user might have come to rely on this bug after the fact in their custom code. So let’s send an announcement mail deprecating it, and fix it a few weeks later.

I don't think that's sufficient -- there might be a web app relying on it whose current maintainers don't realize they're relying on it.

In general, it's a bad idea to capriciously change security policies to be less locked down, even if the old security policy was stupid. Is there a compelling reason other than eliminating stupidity to make this change?

[adehnert]

We've discussed static-cat and what gets allowed repeatedly:

• -c scripts -i sipb, on 2011-03-21
• -c scripts -i 1685762, on 2011-08-03

I'm not sure that there's any relevant technical content, but you could go read them regardless.