Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Can we add ability to override default static path sandbox model? #233

Closed
ryedin opened this Issue · 4 comments

4 participants

@ryedin

https://github.com/senchalabs/connect/blob/master/lib/middleware/static.js#L120

I'd like to be able to create white-list routes to common resources that live outside the "/" of the running app. The example is that we have a set of common framework files in /path/to/framework/, and then multiple apps that live at /path/to/framework/app1 (etc.).

The cited line at the top of the issue prevents me from explicitly saying that files in /path/to/framework/common/ are OK to serve.

Can an option be added to allow explicitly serving such resources? So the cited line might end up like this: https://gist.github.com/860974

thoughts?

@dready92

Hello,

why don't you use two static middleware to serve your static files from your two locations :

connect.createServer(
  connect.static('/path/to/framework/app1'), // check static files from app location
  connect.static('/path/to/framework/common') // then check from shared location
).listen(3000);

Regards,

Mickael

@ryedin

Mickael, your code assumes the connect.createServer() is being done from the /path/to/framework level, which is not the case. Each app has an app.js file, which is what is being executed via 'node app.js'. So, the actual connect server(s) are running at each app's level.

I understand there are several ways to work around this (for now we're using a symlink in each app that points out to the framework common folder)... but it would be nicer (IMHO) if Connect wasn't quite so opinionated here (i.e. let me, the dev, decide whether or not I want to allow serving certain files that are a level our two outside my running app). I get that the default behavior of locking it down is Good, but I think we should still be able to tell Connect.static.send that "this file, or path, is OK".

Are there really any showstopping issues with adding a 'allowUnsafe' (or whatever we want to call it) switch to Connect.static.send() so that we can override that rule?

@dready92

hmmm.. I don't really get your point, certainly I don't understand really well your setup.

My code does not assume it's done from the /path/to/framework level, and what I was trying to show is the beauty of middleware stacking done "the connect way".

Let me give you another example (but as I understand you already know connect very well) :

app1.js (whatever is it's location on the harddrive) :

connect.createServer(
  connect.static('/path/to/framework/app1'), // check static files from app location
  connect.static('/usr/share/common/files') // then check from shared location
).listen(3000);

app2.js (whatever is it's location on the harddrive) :

connect.createServer(
  connect.static('/path/to/framework/app2'), // check static files from app location
  connect.static('/usr/share/common/files') // then check from shared location
).listen(3000);

In your first message, getting "routes to common resources that live outside the "/" of the running app" is possible, in fact it's the default. If you do a

connect.static('/')

and you then request "GET /etc/passwd" it'll work : "/" is not relative from your running app, it's an absolute path on the filesystem.

regards,

Mickael

@akidee

I don't understand the sense of this API. I want to define the URL entry point, like:

server.use('firstDir', connect.static(__dirname+'/static/xyz'))
server.use('secondDir/otherpath', connect.static(__dirname+'/../otherdir'))

This would make sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.