Re: [Security] The static file emiter is unsafe

artanis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Security] The static file emiter is unsafe

From:	Nala Ginrut
Subject:	Re: [Security] The static file emiter is unsafe
Date:	Sat, 31 Oct 2020 03:14:52 +0800
User-agent:	mu4e 1.4.13; emacs 27.1

To make this fix consistent with the URL encoding in template, we hide
`pub' directory to the client.

For example, you don't access "/pub/js/some.js", but "/js/some.js".

Make `pub' inexplicit is better for the security consideration. That is
to say, if the client can access the static file publicly, then it means
the file is definitely in `pub' directory. So there's no chance for the
client to access the files outside `pub'.

This change will break the webapp in older Artanis. One may need to
remove `pub' in the URL encoding.

Sorry for the inconvenience, if the change can make it better, then we
do it.

Comments?

Best regards.

--
GNU Powered it
GPL Protected it
GOD Blessed it
HFG - NalaGinrut
Fingerprint F53B 4C56 95B5 E4D5 6093 4324 8469 6772 846A 0058

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Security] The static file emiter is unsafe, Nala Ginrut, 2020/10/30
- Re: [Security] The static file emiter is unsafe, Jérémy Korwin-Zmijowski, 2020/10/30
- Re: [Security] The static file emiter is unsafe, Nala Ginrut <=

Prev by Date: Re: [Security] The static file emiter is unsafe
Previous by thread: Re: [Security] The static file emiter is unsafe
Index(es):
- Date
- Thread