Help following symlinks

[scoutpup]

Hi! I am trying to use this to access a symlinked folder and it says "failed to load folder. Invalid path specified" even though when I hover over the symlink folder it shows the folder's owner, group, etc, which makes me think I might be missing something silly, or maybe it's intended not to follow symlinks?!

Not sure if this is a bug or an intended feature so sorry if it's not appropriate to raise here as an issue!

[cubiclesoft]

It most likely depends on where the symlink is pointing and what is happening on the server side. If you are using the FileExplorerFSHelper class and it is pointing outside of the base path, then GetSanitizedPath() is going to return a failure response. Changing GetSanitizedPath() is likely to lead to security vulnerabilities - it's purpose is to prevent accessing locations on the system that could be dangerous by restricting filesystem access to the base path. The concept of directly accessing a filesystem from a web browser carries a lot of security caveats. You don't want to have an attacker gain read or write access to areas of the filesystem outside of the expected purview of the application. Attackers sending falsified paths that leave the current base path is almost always going to be a problem from a security perspective.

If you are inside the base path, then the other possibility is permissions. The web server user has to be able to read the target of a symlink. That's baked into the OS itself. Reading the attributes of a file/directory in a directory you have access to doesn't require the same permissions as accessing the file/directory. That's why you can obtain the information that you are seeing.

[scoutpup]

Makes sense; thanks for the clarification! In my case I'm trying to make the contents of a second hard drive available in the application; I'll try making that hard drive the base path. As only trusted users will have access to the system I'm not too worried about malicious actors, but will keep your points in mind.