Closed ochrons closed 1 week ago
As a workaround before the problem is fixed, you can prevent the creation of the binary gz file by
cd dist
touch dio-fullstack.gz
chmod -w dio-fullstack.gz
after building the release version. This will prevent the server from creating a gzipped version of its own binary. Naturally replace dio-fullstack
with the name of your server app.
If your project looks like:
- project
- dist
- server.exe
- other-files...
You can move your server up from dist
to project
and run it to avoid this issue. It only serves the dist directory
Problem
When running fullstack server in release mode, it automatically compresses all files into .gz versions, including the server binary itself. This can then be downloaded as a resource through the server itself via eg. http://127.0.0.1:8080/dio-fullstack.gz
No need to say, but this is a serious security issue.
Expected behavior
Downloadable assets should be in a separate directory from the server binary. Server binary should never be exposed for download.
Assets should be compressed during compilation, not at runtime, as the directory might be read-only in many cases.
Environment: