I don't plan on changing the default configuration from whitelist to
blacklist... it's the fallback.
I'm a fan of "deny unless explicitly authorized", as well. The
AssetProtectionDispatcher
takes an ordered configuration of AssetPathAuthorizer's, with the
default whitelist implementation
being the "catch all" final authorizer in what amounts to a chain of
command. So you can certainly
contribute your own implementations of authorizer on top of the
default. Having a pattern matching
whitelist would certainly be useful; I'm in a time crunch at the
moment (and basically will be until the end of August),
but in the beginning of September, I will rework the default
WhitelistAuthorizer to accept url patterns.
Robert
On Aug 3, 2007, at 8/38:27 AM , Thiago H de Paula Figueiredo wrote:
On Fri, 03 Aug 2007 10:03:37 -0300, Francois Armand
<[EMAIL PROTECTED]> wrote:
Thiago H de Paula Figueiredo wrote:
Would a black list intead of a white list better? I suppose there
are less files to hide than files to allow access.
Well, I think that one of the best principle in security is
"explicit authorization" : you just do not want that a
confidential file is accessible by error, because a user forgot to
hide it.
That's a very good point. ;)
But I agree that the white list should authorize jokers to enable
"*.jpg" kind of filter (and if you name your confidential file
"picture_of_my_secret_weapon.jpg", well, to bad for you ;)
Maybe we could allow any .jpg, .gif, .jpg and .css file by default
and explicitly whitelist the rest.
And no, I don't want to see the picture of your secret weapon,
whatever it is. :P
Thiago
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
