Re: Fwd: New Version Notification for draft-nottingham-site-meta-03

Bil Corry <bil@corry.biz> Fri, 25 September 2009 04:57 UTC

Return-Path: <bil@corry.biz>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B28203A69B4 for <apps-discuss@core3.amsl.com>; Thu, 24 Sep 2009 21:57:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.991
X-Spam-Level:
X-Spam-Status: No, score=-0.991 tagged_above=-999 required=5 tests=[AWL=-0.745, BAYES_05=-1.11, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZHiZzsiyVGOz for <apps-discuss@core3.amsl.com>; Thu, 24 Sep 2009 21:57:39 -0700 (PDT)
Received: from mail.mindio.com (app1.bc.anu.net [193.189.141.126]) by core3.amsl.com (Postfix) with ESMTP id 8248F3A680F for <discuss@apps.ietf.org>; Thu, 24 Sep 2009 21:57:38 -0700 (PDT)
Received: from [127.0.0.1] (bcorry.anu.net [193.189.141.233]) by mail.mindio.com (Postfix) with ESMTP id 0A1BEFC521; Thu, 24 Sep 2009 23:58:45 -0500 (CDT)
Message-ID: <4ABC4D8A.30506@corry.biz>
Date: Thu, 24 Sep 2009 23:56:42 -0500
From: Bil Corry <bil@corry.biz>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
Subject: Re: Fwd: New Version Notification for draft-nottingham-site-meta-03
References: <20090917065629.BBC103A682A@core3.amsl.com> <0745006F-CE26-4E8F-A67D-32BED74D7E15@mnot.net> <4AB22AC7.5050704@corry.biz> <4AB22CC7.10607@gmx.de> <90C41DD21FB7C64BB94121FBBC2E72343784D57F09@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343784D57F09@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Apps Discuss <discuss@apps.ietf.org>
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2009 04:57:40 -0000

Hmm, apparently blocking on a leading dot isn't as widespread as I would have thought:

	http://www.techcrunch.com/2009/09/23/basic-flaw-reveals-source-code-to-3300-popular-websites/


FWIW, this is the Apache mod_rewrite rule I'm using to block requests that have path components that begin with a dot or underscore, yet it allows /.well-known/ requests:

	RewriteCond %{REQUEST_URI}  !^/.well-known/.*$
	RewriteRule (^|/)(_|\.).*$  - [L,NS,F]


- Bil


Eran Hammer-Lahav wrote on 9/17/2009 10:57 AM: 
> Exactly.
> 
> The fact that it takes more steps to enable /.well-known/ is in line with our goal of using a non-obvious path that is usually not permitted as part of usernames in social networks and other sites.
> 
> But thanks for pointing this out as it will help us get more adoption by letting people know to check for such restrictions.
> 
> EHL
> 
>> -----Original Message-----
>> From: apps-discuss-bounces@ietf.org [mailto:apps-discuss-
>> bounces@ietf.org] On Behalf Of Julian Reschke
>> Sent: Thursday, September 17, 2009 5:34 AM
>> To: Bil Corry
>> Cc: Apps Discuss
>> Subject: Re: Fwd: New Version Notification for draft-nottingham-site-
>> meta-03
>>
>> Bil Corry wrote:
>>> Mark Nottingham wrote on 9/17/2009 1:59 AM:
>>>> See:
>>>>   http://www.ietf.org/id/draft-nottingham-site-meta-03.txt
>>>> >From the above:
>>> ---8<---
>>> A well-known URI is a URI [RFC3986] whose path component begins with
>>> the characters "/.well-known/".
>>> --->8---
>>>
>>> I know for my own server, any file or directory within the path
>> component that begins with a period or underscore returns 403.  That's
>> to prevent serving .htaccess, .svn, .project, ._.DS_Store, __MACOSX,
>> and other configuration-type files and directories -- leading periods
>> and underscores seem to be popular for them.  I can add an exception
>> for "/.well-known/", but wanted to mention it in case there were other
>> alternatives being considered for the path component.
>>> ...
>> I think that's actually a strong point *in favor* of using a leading
>> dot
>> (less chance for overlap with real-world URIs).
>>
>> BR, Julian