dougwilson
commented
5 years ago No, this is not a feature currently, but a pull request to add such a feature would definitely be welcome!
Open gregmartyn opened 5 years ago
dougwilson
commented
5 years ago No, this is not a feature currently, but a pull request to add such a feature would definitely be welcome!
jayk
commented
4 years ago I submitted a pull request that provides this behavior via a new option called followsymlinks which defaults to true. If it's set to false, it will cause paths that contain symlinks to be forbidden.
If I'm doing
.use(express.static('/var/www/html'))and some attacker manages toln -s /etc/passwd /var/www/html, then http://host/passwd will serve up /etc/passwd. Is there any way to tell serve-static not to follow symlinks, or to restrict them so that they're only followed to files within the directory being served?I'm essentially asking for Apache's FollowSymLinks or nginx's disable_symlinks.