New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent importing files outside import paths #1897
Comments
Cool. You may want to switch off JavaScript support too. w.r.t. imports if I were you I would look at restricting access the app has Having said that I'm working on plugin infrastructure and we would like to |
Thanks @lukeapage We have been discussing internally this issue and we have in mind an approach much stronger in security terms but more complicated. Executing the parser inside a sandbox using the Nevertheless that plugin infrastructure would be great. Thank you! |
Hi, Just if you are curious I have made a proof of concept sandboxing less and making a fake In my machine compiling bootstrap 100 times takes 9.3 seconds, while using less directly it takes 6.7 seconds. So not a big penalty I think. |
Thank @gimenete, this is path for open_basedir https://gist.github.com/hugdx/33b0060431f8f20ad1a7 |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
We are thinking to include Less in a software-as-a-service where users can edit their own templates.
We've made a simple test to prevent users @import sensitive files.
This works so they would be able to import files outside their directories. Is there any way to prevent this behavior? It would be great to have something like a 'safeImports" flag that would prevent this.
We know that the parser fails if the imported file is not a valid less file, but we would like to prevent the parser even to read the file. Is that possible?
Thank you.
The text was updated successfully, but these errors were encountered: