> From: Piroumian Konstantin [mailto:KPiroumian@protek.com] > > From: John Morrison [mailto:john.r.morrison@ntlworld.com] > > > > From: J.Pietschmann [mailto:j3322ptm@yahoo.de] > > > > Piroumian Konstantin wrote: > > > > > If your sitemap is somewhere in WEB-INF then having > > > > sitemap.xml would be > > > > > obvious, but if you have sitemap in the same directory > > > > where your content > > > > > files are located then one could view your sitemap by > > simply typing > > > > > 'sitemap.xml' in request path. To prevent this you would > > > > have to setup a > > > > > special pipeline in your sitemap or use resource > > > > constraints in web.xml. > > > > > > > > Does using "sitemap.xmap" prevent illegal access? > > > > > > Since you do not provide a pipeline for anything that matches > > > "sitemap.xmap" > > > then your sitemap won't be exposed, isn't it? But if you > > have a pipeline > > > with a matcher "*.xml" then having "sitemap.xml" in the same > > > directory will > > > allow to view your sitemap file. I'd not like to show my > > > production sitemaps > > > to users. > > > > That's assuming that you keep xml in the "root" of your web > > app along with your sitemap. The examples which come with > > Cocoon are clearly seperated and I've never seen anyone who > > does keep their production xml in the root either. Of cause > > there's risk, if you make a mistake in the sitemap you can > > expose anything - even files in WEB-INF (just because the > > servlet blocks http://xxx//WEB-INF/ doesn't > > mean you can't do > > But what about the sub-sitemaps? > > > This can be done only intentionally (or by a newbie). A more realistic > example can be: > > > > True, much more realistic. > And you can accidentally mount your sub-sitemaps after this matcher and > that's it: users type 'subdir/sitemap.xml' and see your sitemap. > > > Security isn't something you do once - it's a way of life (a > > quote I think but I don't know who from). > > Agree. > Having 'xmap' extension for the sitemap only lowers the probability of > viewing it by the user, but, of course, it won't make your website > absolutely secure. Agreed, but I don't think it's something we should force on people (putting it in WEB-INF). The other possiblity would be for Cocoon to realise what it's sending is a sitemap (or sub map) and throw a 404 unless, for example, the match was marked in some way to _allow_ cocoon control files... J. --------------------------------------------------------------------- To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org For additional commands, email: cocoon-dev-help@xml.apache.org