Thoughts on the Facebook Leak, Part 1

1950’s businessman whose pants have fallen downBy now, you’ve probably heard that for a brief period, a server configuration error caused some Facebook users to see its PHP code rather than the familiar Facebook pages that the code was supposed to render.

How the Code Got Out There

Tony Hung at Deep Jive Interests asked the question “Could a server misconfiguration send out the whole source code in its entirety when you put in the Facebook URL?”

It seems strange that such a simple thing could give away your source, but as anyone who’s set up PHP on a server a number of times will tell you, it can happen.

When you visit a static HTML page — that’s a plain old HTML page that wasn’t generated by some server-side script written in PHP or any number of programming languages — the web server simply hands over the contents of the page (the HTML) over to your browser. Your browser renders the HTML as a web page:

How static web pages are served

The opposite of a static page is a dynamic one, in which the content is generated on the fly — the server isn’t just handing over the contents of a file. Instead, it calls on some program to cull data from one or more sources and then use that data to assemble some HTML which is then sent to your computer:

How your Facebook homepage is served.

What happens when the server is configured incorrectly in such a way that the code for a dynamic page never gets sent through the code interpreter? One common result is that the code gets sent directly to the user. Instead of seeing the result of running the code, the user ends up seeing the code itself. That’s what seems to have happened with Facebook.