[Security] The static file emiter is unsafe

[Nala Ginrut]

Hi folks!
I found a security issue in our static file emitter, let's see an
example:

If you have a file, say, password.json in `prv' directory, and if you
add `.json' to static emitter with (init-server #:statics '(html js css json))
in ENTRY. Then the URL "/pub/../prv/passwd.json" will expose this
private file.

In theory, this BUG can expose any file in any path if you run Artanis
under root account. I'd strongly suggest you run server in a safe
account, for an instance, www-data.

This bug was fixed in 6ac263b5e6f, the behaviour after fix would force
to use absolute path for static files, that is to say, Artanis will filter
".." in the requested path.

And please keep in mind that you should NEVER put public static files
out of `pub' directory, this is one of the strong convention in Artanis.
Vice versa, you should put private files in `prv' directory.

Comments are welcome.

Best regards.


--
GNU Powered it
GPL Protected it
GOD Blessed it
HFG - NalaGinrut
Fingerprint F53B 4C56 95B5 E4D5 6093 4324 8469 6772 846A 0058

signature.asc
Description: PGP signature