When .hidden is false, also hide files from a hidden directory #14
Conversation
|
It's weird that even I don't touch anything with the original git clone of this repo, I still get a lot of errors in the test. |
|
@andyhu it seems that the gzip.json.gz is wrong. |
|
@andyhu rebase with master, and it should be OK. |
|
will try to fix it |
|
Now it should be ok, all the tests are passed |
| // (^|[\/]) matches a path separator or start of the string, . matches leading dot | ||
| // while (?!.[/\]) makes sure that something like /../ should not be matched | ||
| // and is passed to resolve-path to get the correct error response | ||
| return /(^|[\\\/])\.(?!\.[\\\/])/.test(path); | ||
| } |
There was a problem hiding this comment.
@andyhu you check path before normalize, so /./ will treated as is hidden.
I'd rather this
https://github.com/pillarjs/send/blob/master/index.js#L736-L744
wait @jonathanong 's decision
There was a problem hiding this comment.
i like this method better simply because it's easier to understand.
There was a problem hiding this comment.
OK, I agree with that. Using regex is actually more verbose since I have to explain it in the comment..
|
@coderhaoxin I see what you mean, will modify the code to address it |
|
i was looking to use https://github.com/pillarjs/resolve-path for this module, but ran into issues. ideally, this would be solved by resolve-path and this module would simply require it. |
|
actually no... this isn't a security issue... |
|
Yes it's probably not a security issue, the end user has some responsibility to take care of their public directories. So for this specific issue, do you suggest to raise an issue or PR on resolve-path? I'm building a framework based on a bunch of koa-* modules and used this module to serve static files, so I hope it will be rock solid and configurable to the end user. |
|
it makes sense for it to be covered by i just merged your other PR so you're going to need to rebase this PR! |
|
btw you should be using |
|
Thanks! It's a shame that I never read git doc carefully |
|
will you be rebasing soon? |
|
Sorry, not sure why it's automatically closed after rebase, but I will open a new PR soon |
See koajs/file-server#5
We should protect files in directories like
/webroot/public/static/.git/config, but not/webroot/.www/public/static/index.html