JSON files should not expose server paths
Closed this issue · 2 comments
options.json
has at least 3 options (album_path
, index_html_path
and cache_path
) where absolute paths from the server are disclosed.
Other JSON files created by the scanner contain similar options like absolutePath
that expose server directories layout.
To reduce security exposure, this information should not be exposed in these files. I don't understand why a static web application would require knowing absolute paths from the server. At least, myphotoshare runs correctly when options.json
contains only relative paths instead of absolute ones.
you're right, actually none of album_path
, index_html_path
and cache_path
are needed, neither by javascript nor by php, so it's safe not to save them in options.json
, this is now fixed in master
Nor is absolutePath needed in js or php, removing it too.
Closing the issue, thanks to pmetras for reporting it!