[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Security] The static file emiter is unsafe
From: |
Nala Ginrut |
Subject: |
Re: [Security] The static file emiter is unsafe |
Date: |
Sat, 31 Oct 2020 03:14:52 +0800 |
User-agent: |
mu4e 1.4.13; emacs 27.1 |
To make this fix consistent with the URL encoding in template, we hide
`pub' directory to the client.
For example, you don't access "/pub/js/some.js", but "/js/some.js".
Make `pub' inexplicit is better for the security consideration. That is
to say, if the client can access the static file publicly, then it means
the file is definitely in `pub' directory. So there's no chance for the
client to access the files outside `pub'.
This change will break the webapp in older Artanis. One may need to
remove `pub' in the URL encoding.
Sorry for the inconvenience, if the change can make it better, then we
do it.
Comments?
Best regards.
--
GNU Powered it
GPL Protected it
GOD Blessed it
HFG - NalaGinrut
Fingerprint F53B 4C56 95B5 E4D5 6093 4324 8469 6772 846A 0058
signature.asc
Description: PGP signature