Warning: emacs on live website may cause headaches

If you edit a live website using emacs (which everyone should!), you’ll want to be sure you have these two lines in your .emacs file:

(setq auto-save-default nil)
(setq make-backup-files nil)

emacs tends to make alot of extra files. This is usually a good thing, especially when trying to recover from a mistake or system crash. When editing files on a live website, these additional files can pose a security problem. For example, the default backup files in emacs are simply the original file with a tilde appended (ie. “index.php~”). Since the extension is no longer “.php”, Apache will not execute this file using PHP, but rather just sends the contents. Ouch. The same could be said about the auto-save files (ie. “#index.php#”), but with only transient exposure since these files usually go away when editing is completed.

A good hack on any website would be to crawl all .php files and try to fetch the corresponding .php~ file. I’d bet you could find many sites which would reveal their secrets through this method.