JSON files should not expose server paths

Question

JSON files should not expose server paths

Closed this issue 7 years ago · 2 comments

options.json has at least 3 options (album_path, index_html_path and cache_path) where absolute paths from the server are disclosed.

Other JSON files created by the scanner contain similar options like absolutePath that expose server directories layout.

To reduce security exposure, this information should not be exposed in these files. I don't understand why a static web application would require knowing absolute paths from the server. At least, myphotoshare runs correctly when options.json contains only relative paths instead of absolute ones.

Answer 1 · 2018-01-07T11:31:53.000Z

you're right, actually none of album_path, index_html_path and cache_path are needed, neither by javascript nor by php, so it's safe not to save them in options.json, this is now fixed in master

Answer 2 · 2018-01-07T11:39:24.000Z

Nor is absolutePath needed in js or php, removing it too.

Closing the issue, thanks to pmetras for reporting it!