-
-
Notifications
You must be signed in to change notification settings - Fork 932
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow staticfiles to follow symlinks outside directory #1377
Conversation
3dee9ab
to
6b6fe29
Compare
isn't that behavior a security concern and would allow path traversal ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added a few comments mostly about os.path vs pathlib stuff, so not blocking on my side but I would see it as probably more readable
thoughts ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good to me
Please do not merge until 0.19.1 is released. This should be up on 0.20.0. |
e201817
to
0291dd4
Compare
0291dd4
to
2c86a96
Compare
@Kludex Can we merge this now? |
correct me if I'm wrong, but this PR changes the API from |
|
2c86a96
to
422983c
Compare
…tarlette into fix-staticfiles-follow-symlinks
…iles-follow-symlinks
…tarlette into fix-staticfiles-follow-symlinks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! 👍
I've added a comment about an alternative solution, but use whatever you prefer.
Fixes #1083.
Right now we don't allow StaticFiles to break outside of statics directory:
starlette/starlette/staticfiles.py
Lines 162 to 165 in 0aef172
Since we already follow symlinks for directory and path, I think it makes sense to allow StaticFiles to break out of statics directory if it's following a symlink.