-
Notifications
You must be signed in to change notification settings - Fork 761
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add 2 arguments to websockify.WSRequestHandler for security #465
Comments
The pull request about should fix this issue (the autoclose syntax was just a bit off, though) |
The file_only argument makes sense. However, I don't understand the logic or purpose of no_parent. First of all, when is it ever useful to allow returning files outside the web root? I believe this should never be allowed, thus "no_parent" should be default. Also, as far as I can tell, this was already the case: I don't see how it was ever possible to retrieve files outside the web root. We are using SimpleHTTPRequestHandler and its translate_path function (which sets .path) filters out ".." etc. |
* commit '6d27b5d321978586ea1601f757ead73dfba03da7': Add 2 arguments to websockify.WSRequestHandler As of now, only implemented the first command; see #83 for details.
For additional security, it would be good to add 2 arguments to websockify.WSRequestHandler as follows:
are requested.
out of the web root are requested.
This would enhance an additional layer of security to the web requests.
A patch is welcome, or I can submit one.
The text was updated successfully, but these errors were encountered: