Gzip of all assets exposes server binary in release build

[ochrons]

Problem

When running fullstack server in release mode, it automatically compresses all files into .gz versions, including the server binary itself. This can then be downloaded as a resource through the server itself via eg. http://127.0.0.1:8080/dio-fullstack.gz

No need to say, but this is a serious security issue.

Expected behavior

Downloadable assets should be in a separate directory from the server binary. Server binary should never be exposed for download.

Assets should be compressed during compilation, not at runtime, as the directory might be read-only in many cases.

Environment:

• Dioxus version: 0.5.2
• Rust version: 1.76
• OS info: Win11 WSL2
• App platform: fullstack

[ochrons]

As a workaround before the problem is fixed, you can prevent the creation of the binary gz file by

cd dist
touch dio-fullstack.gz
chmod -w dio-fullstack.gz

after building the release version. This will prevent the server from creating a gzipped version of its own binary. Naturally replace dio-fullstack with the name of your server app.

[ealmloff]

If your project looks like:

- project
   - dist
      - server.exe
      - other-files...

You can move your server up from dist to project and run it to avoid this issue. It only serves the dist directory