potential security risk of readme example configuration

Question

potential security risk of readme example configuration

kdurov opened this issue 2 years ago · 1 comments

location /theme {
alias /srv/www/fileserver/theme;
}

is a exploitable configuration as hackers could access unrelated files within /srv/www/fileserver/ directory via https://[host]/themeWHATEVER , albeit unlikely do files named themeWHATEVER exist.
It's a good practice to add trailing slashes to both location and alias to prevent path traversal and this potential risk.

location /theme/ {
    alias /srv/www/fileserver/theme/;
}

Answer 1 · 2023-04-23T13:21:49.000Z

Thanks for the advice. I've fixed the configuration in 716bddb.