Skip to content

jj1bdx/plug_static_ls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

87 Commits
config
config
 
 
icons
icons
 
 
lib
lib
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
mix.exs
mix.exs
 
 
mix.lock
mix.lock
 
 

Repository files navigation

PlugStaticLs

Directory Index for Plug/Phoenix Static Assets

Security fix

  • Null byte injection in Plug.Static source code affected PlugStaticLs
  • See https://elixirforum.com/t/security-releases-for-plug/3913
  • Versions affected: v0.6.0 and all earlier versions v0.[012345].x
  • Version fixed: v0.6.1
  • Thanks to: José Valim for reporting and summary (See the Elixir Forum article for the original contributors)

WARNING: inherent vulnerabilities regarding directory listing

Providing directory listing may reveal following vulnerabilities:

  • Contents of unintended files left in the directory will be shown to the HTTP clients, including the search engines.
  • Directory listing requires file stat operations and may result in consuming computing resources.
  • Directory listing reveals not only the file contents but the file name, the last modification time (mtime), and the size.

Here is a list of security advisories against making directory listing available to the public:

Do not provide directory listing unless you are 100% sure about the contents in the directory.

Installation

This package is available in Hex as plug_static_ls. The package can be installed as:

  1. Add plug_static_ls to your list of dependencies in mix.exs:
```elixir
def deps do
  [{:plug_static_ls, "~> 0.6.1"}]
end
```
  1. Ensure plug_static_ls is started before your application:
```elixir
def application do
  [applications: [:plug_static_ls]]
end
```

Prerequisites

The filename locale of the Erlang VM must be explicitly specified to UTF-8. See Erlang's erl +fnu option description for the details.

Note: Elixir assumes UTF-8 usage on the filenames and internal strings.

Usage

Add PlugStaticLs after Plug.Static in endpoint.ex. The access restriction options for PlugStaticLs should include the corresponding setting of Plug.Static. Allow access only to the directories where the index is really required.

plug Plug.Static, at: "/", from: :my_app
plug PlugStaticLs, at: "/", from: :my_app, only: ~w(with_listing)

# Note: non-existent file will be routed here
# Explicit plug to catch this case is required

Dialyzer via dialyxir can be used via mix dialyzer.

License

Apache License 2

Acknowledment

The basic skeleton of this package is derived from static.ex aka Plug.Static module of the Plug repository.

The directory listing page design is derived from Yaws Web Server.

About

Serving directory Index for Plug/Phoenix Static Assets

hex.pm/packages/plug_static_ls

Topics

elixir plug static-website phoenix-framework

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity

Stars

5 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

14 tags

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Languages