ParaViewWeb security bug: unexpected static content behavior
This issue was created automatically from an original Mantis Issue. Further discussion may take place here.
When I start up my ParaViewWeb application without passing any "--content" argument, my expectation is that it won't serve any static content at all. However, it is actually serving all of the static content under whatever the working directory was that I invoked python in, and I didn't realize it was doing this until I looked at the code in web.py. A user could easily accidentally be serving up portions of their filesystem that they don't want to be serving.
I propose we change the behavior to: if no --content arg is passed, then no static content is served at all.
Edited by Julien Fausty