[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Security] The static file emiter is unsafe

From: Nala Ginrut
Subject: Re: [Security] The static file emiter is unsafe
Date: Sat, 31 Oct 2020 03:14:52 +0800
User-agent: mu4e 1.4.13; emacs 27.1

To make this fix consistent with the URL encoding in template, we hide
`pub' directory to the client.

For example, you don't access "/pub/js/some.js", but "/js/some.js".

Make `pub' inexplicit is better for the security consideration. That is
to say, if the client can access the static file publicly, then it means
the file is definitely in `pub' directory. So there's no chance for the
client to access the files outside `pub'.

This change will break the webapp in older Artanis. One may need to
remove `pub' in the URL encoding.

Sorry for the inconvenience, if the change can make it better, then we
do it.


Best regards.

GNU Powered it
GPL Protected it
GOD Blessed it
HFG - NalaGinrut
Fingerprint F53B 4C56 95B5 E4D5 6093 4324 8469 6772 846A 0058

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]