Opened 8 years ago

Last modified 8 years ago

#319 new enhancement

Serve .txt files with static-cat

Reported by: andersk Owned by:
Priority: normal Milestone:
Component: web Keywords:
Cc:

Description

The original justification for not serving all .txt files to the web was that “some app might put passwords into a config.txt file”. That was stupid. All other web servers serve .txt files by default, so no app could possibly have been relying on our quirk that they don’t get served.

The argument remains that some scripts user might have come to rely on this bug after the fact in their custom code. So let’s send an announcement mail deprecating it, and fix it a few weeks later.

(See also previous discussion in #92.)

Change History (2)

comment:1 Changed 8 years ago by geofft

The argument remains that some scripts user might have come to rely on this bug after the fact in their custom code. So let’s send an announcement mail deprecating it, and fix it a few weeks later.

I don't think that's sufficient -- there might be a web app relying on it whose current maintainers don't realize they're relying on it.

In general, it's a bad idea to capriciously change security policies to be less locked down, even if the old security policy was stupid. Is there a compelling reason other than eliminating stupidity to make this change?

comment:2 Changed 8 years ago by adehnert

We've discussed static-cat and what gets allowed repeatedly:

  • -c scripts -i sipb, on 2011-03-21
  • -c scripts -i 1685762, on 2011-08-03

I'm not sure that there's any relevant technical content, but you could go read them regardless.

Note: See TracTickets for help on using tickets.